Best way to do LDAP user based server restrictions?
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Best way to do LDAP user based server restrictions?
by Peter Lambrechtsen-2
::
Rate this Message:
I have configured FR 2.1.7 successfully and just wanted to confirm this is the best way to achieve what I am wanting to do.
I have large number nas elements scattered throughout the network that we are trying to centralise on a pair of redundant FR servers. The authentication will be based on users out of LDAP, and I would also like to have the authorzation based on LDAP groups, so I can add a user into a group in LDAP and they will then have access to login to the NAS device. As part of this we need to restrict certain nas types to a certain group of people, and return additional items as part of the Access-Accept such as "Service-Type = "Login-User" or Cisco-avpair = "shell:priv-lvl=15" and such like. In LDAP I have the following group and OU structure for NAS systems, and potentially there are any number of different responses depending on their access level per system, and thus I plan to add different users into the relevant group. cn=ResponseValue,ou=NAS,ou=Radius,o=Org ie: cn=Login-User,ou=SystemA,ou=Radius,o=Org cn=Login-Admin,ou=SystemA,ou=Radius,o=Org cn=Level1,ou=SystemB,ou=Radius,o=Org cn=Level7,ou=SystemB,ou=Radius,o=Org cn=Level15,ou=SystemB,ou=Radius,o=Org The only way I have got this to effectivly work is as follows: in the sites-enabled/default I have: authorize { ldap } authenticate { Auth-Type LDAP { ldap } post-auth { files } Then after I have modified the modules/files and added "postauth_usersfile = ${confdir}/postauth_users" I also add in all the same devices in the same nas group into the huntgroups file such as: SystemA NAS-IP-Address == 192.168.1.1 In the postauth_users file I need to put the logic to say if you are a member of this LDAP Group, and coming from this Hostgroup NAS server, then Access-Accept & include the correct reply. DEFAULT Huntgroup-Name == SystemA, Ldap-Group == "cn=Login-User,ou=SystemA,ou=Radius,o=Org", Auth-Type := Accept Service-Type = "Login-User" DEFAULT Huntgroup-Name == SystemA, Ldap-Group == "cn=Login-Admin,ou=SystemA,ou=Radius,o=Org", Auth-Type := Accept Service-Type = "Login-Admin" DEFAULT Huntgroup-Name == SystemB, Ldap-Group == "cn=Level1,ou=SystemB,ou=Radius,o=Org", Auth-Type := Accept Cisco-avpair = "shell:priv-lvl=1" and so on. Is there an easier way to have grainular system access controls based on group memberships out of ldap? As it's a pain to have one to one matchup from ldap groups, to the postauth_users. Thanks Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
Re: Best way to do LDAP user and group restrictions?
by Peter Lambrechtsen-2
::
Rate this Message:
Due to no responses from my email a few days ago I will assume that
using the postauth_users is the best way to get grainular ldap user + group to login to a restricted number of nas servers. Will look to update the FR wiki with all my findings in detail. Unless someone has a better suggestion on how to do this ;) Thanks Peter On 1/11/2009, at 9:14 PM, Peter Lambrechtsen <plambrechtsen@...> wrote: > I have configured FR 2.1.7 successfully and just wanted to confirm > this is the best way to achieve what I am wanting to do. > > I have large number nas elements scattered throughout the network > that we are trying to centralise on a pair of redundant FR servers. > The authentication will be based on users out of LDAP, and I would > also like to have the authorzation based on LDAP groups, so I can > add a user into a group in LDAP and they will then have access to > login to the NAS device. > > As part of this we need to restrict certain nas types to a certain > group of people, and return additional items as part of the Access- > Accept such as "Service-Type = "Login-User" or Cisco-avpair = > "shell:priv-lvl=15" and such like. > > In LDAP I have the following group and OU structure for NAS systems, > and potentially there are any number of different responses > depending on their access level per system, and thus I plan to add > different users into the relevant group. > > cn=ResponseValue,ou=NAS,ou=Radius,o=Org ie: > > cn=Login-User,ou=SystemA,ou=Radius,o=Org > cn=Login-Admin,ou=SystemA,ou=Radius,o=Org > cn=Level1,ou=SystemB,ou=Radius,o=Org > cn=Level7,ou=SystemB,ou=Radius,o=Org > cn=Level15,ou=SystemB,ou=Radius,o=Org > > The only way I have got this to effectivly work is as follows: > > in the sites-enabled/default I have: > > authorize { > ldap > } > authenticate { > Auth-Type LDAP { > ldap > } > post-auth { > files > } > > Then after I have modified the modules/files and added > "postauth_usersfile = ${confdir}/postauth_users" > > I also add in all the same devices in the same nas group into the > huntgroups file such as: > > SystemA NAS-IP-Address == 192.168.1.1 > > In the postauth_users file I need to put the logic to say if you are > a member of this LDAP Group, and coming from this Hostgroup NAS > server, then Access-Accept & include the correct reply. > > DEFAULT Huntgroup-Name == SystemA, Ldap-Group == "cn=Login- > User,ou=SystemA,ou=Radius,o=Org", Auth-Type := Accept > Service-Type = "Login-User" > DEFAULT Huntgroup-Name == SystemA, Ldap-Group == "cn=Login- > Admin,ou=SystemA,ou=Radius,o=Org", Auth-Type := Accept > Service-Type = "Login-Admin" > DEFAULT Huntgroup-Name == SystemB, Ldap-Group == > "cn=Level1,ou=SystemB,ou=Radius,o=Org", Auth-Type := Accept > Cisco-avpair = "shell:priv-lvl=1" > and so on. > > Is there an easier way to have grainular system access controls > based on group memberships out of ldap? As it's a pain to have one > to one matchup from ldap groups, to the postauth_users. > > Thanks > > Peter List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
| Free embeddable forum powered by Nabble | Forum Help |
