[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Want interesting restrictions to ldap auth on different servers to different users

2010/12/6 Dan White <dwhite@olp.net>:
> On 06/12/10 15:34 +0300, c0re wrote:
>> 2010/12/1 Dan White <dwhite@olp.net>:
>> Thanks for example!
>> But it still requires to edit clients.conf when adding device. And not
>> restricts by groups.
> That's true, unless you have some of your clients coming from behind
> one NAT address. I'm not aware of any way around that.
>> As per http://wiki.freeradius.org/Rlm_ldap I can use
>> groupmembership_filter =
>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>> If there any other variables that can be used? I mean not only
>> Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname
>> or anything else to unique identify remote device. So I can use
>> dynamic groups in OpenLdap and restrict access to device by group
>> membership.
> As for the client IP, or other identifying information of the
> authenticating device, I've always tried to use huntgroups to identify the
> device rather than trying to perform a match in the LDAP filter, but that
> approach might work just fine.
> Keep in mind that different types of devices will send more or less
> information in its RADIUS request. Running freeradius in '-X' mode, and
> sending a sample request will show you the information that you might be
> able to match on.
> --
> Dan White

Thanks for tip about -X mode, will do it if get troubles.

Found very interesting message in mailists here:
Even more interesting - storing NAS secret in ldap!

And using variable Packet-Src-IP-Address to differ source devices.
Will try to get it work at this week.