[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Want interesting restrictions to ldap auth on different servers to different users

To: openldap-technical@openldap.org
Subject: Re: Want interesting restrictions to ldap auth on different servers to different users
From: c0re <nr1c0re@gmail.com>
Date: Mon, 6 Dec 2010 15:34:57 +0300
Cc: Dan White <dwhite@olp.net>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=DRQ1EjHLeFB5zeFr5gmF2vX4uR1riZYdi6kLIvyFOcI=; b=BnAxYlRRcGiLCUHgplczpPJFmf4Cw665gpeFqxdhwpd/RWM4hfBDgfeN1QKsq5s7+d mA2ECQ1CV8fuBJBmo89kkAyN3FYlwU8Ugeion80J8auY95UNYuI3AbLwjz9tMITcIVad 6Q1OyV4fyN/FX3msjX+3P1zXEQaxiPE8HLfmc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=rfsMVJ4TLCiqrfGVUPcvVR+1PY3oA/vsBmVfvsfm4Ote1hJg3uqLrMZzM4eOmGIN7h i9r+9x899WVh+6dT1lnaxpURBhw6F9AnqRY6UtlRvxisfM0ittcOt7ou4UCJM4D48DPR b3us9rzM9IL17F2xZbElInTfF4YTzfsAMaoGs=
In-reply-to: <20101201160313.GC4239@dan.olp.net>
References: <AANLkTin9QFwD4zPhB1sfUSpjZjTvK0=SRZUSEgGCXdY5@mail.gmail.com> <alpine.SOC.2.00.1011181054390.17810@toolbox.rutgers.edu> <AANLkTik3__grNixCFZNZmq+AxJjcFGxTp8z82N8sZj6k@mail.gmail.com> <AANLkTi=-A5XP_u8AjJBk-PvogpM-1xnqqPur0cvo7Smm@mail.gmail.com> <AANLkTi=wiwP=wF_qN5JnFX97cWOU4uWSHDAbJB6FZ0ek@mail.gmail.com> <4CF39214.8090301@symas.com> <AANLkTimDOvtzd1qjyz-mv+LkrC4DYgotX04LUB6MwDL7@mail.gmail.com> <20101201160313.GC4239@dan.olp.net>

2010/12/1 Dan White <dwhite@olp.net>:
> On 01/12/10 18:27 +0300, c0re wrote:
>>
>> Can't understand about how to use nssov overlay in my case, but
>> understood about dynamic groups overlay and it should fit to my needs.
>>
>> Also I've got freeradius that authenticate users by looking in ldap.
>> Works good. But can't understand about how to restrict users to login
>> to some devices. At that moment all users has access to all devices
>> via radius. Same requests - this must be controlled via openldap.
>>
>> May be someone uses freeradius and has already made such restritions
>> and can give me some tips.
>
> Here's one approach:
>
> Given a huntgroups file of:
>
> device1 NAS-IP-Address == 192.168.1.1
> cisco1  NAS-IP-Address == 192.168.1.2
>
> and corresponding entries in your clients.conf, you can add something like
> this in your users file:
>
> DEFAULT Huntgroup-Name == "device1", ldap-customattr-Ldap-Group == "device1"
>         Fall-Through = no
>
> DEFAULT Huntgroup-Name == "device1", Auth-Type := Reject
>
> DEFAULT Huntgroup-Name == "cisco1", ldap-customattr-Ldap-Group ==
> "cisco1/admin", User-Profile := "cn=ciscoadmin,ou=radius,dc=example,dc=net"
>         Fall-Through = no
>
> DEFAULT Huntgroup-Name == "cisco1", Auth-Type := Reject
>
> then create /etc/freeradius/modules/ldap-customattr with:
>
> ldap ldap-customattr {
>
>        server   = "ldap://ldap.example.net";
>        ldap_debug = 0x0028
>        identity = "$dn"
>        password = $pass
>        ldap_connections_number = 5
>        basedn   = "dc=example,dc=net"
>        filter   = "(uid=%u)"
>        start_tls = no
>        tls_mode = no
>        password_attribute = "userPassword"
>        groupname_attribute = "customattr"
>        groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>        groupmembership_attribute = "customattr"
>
> }
>
> Add 'ldap-customattr' inside the 'instantiate' section within
> /etc/freeradius/radiusd.conf.
>
> Add this to your tree:
>
> dn: cn=ciscoadmin,ou=radius,dc=example,dc=net
> objectClass: radiusObjectProfile
> objectClass: radiusprofile
> cn: ciscoadmin
> radiusReplyItem: cisco-avpair = "shell:priv-lvl=15"
>
>
> Then within your user entries, any user with:
>
> customattr: device1
>
> will be authorized to authenticate to device1, and
>
> customattr: cisco1/admin
>
> will authenticate to cisco1, and will also drop directly into enable mode,
> assuming the cisco device is configured to do so.
>
> --
> Dan White
>

Thanks for example!

But it still requires to edit clients.conf when adding device. And not
restricts by groups.

As per http://wiki.freeradius.org/Rlm_ldap I can use

groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

If there any other variables that can be used? I mean not only
Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname
or anything else to unique identify remote device. So I can use
dynamic groups in OpenLdap and restrict access to device by group
membership.

References:
- Re: Want interesting restrictions to ldap auth on different servers to different users
  - From: c0re <nr1c0re@gmail.com>

Prev by Date: Re: slapd 2.4.23 SASL/GSSAPI problem
Next by Date: ldap_result returns LDAP_TIMEOUT even after getting search response
Index(es):
- Chronological
- Thread