(RADIATOR) LDAP/ServerTACACSPLUS question

Ingvar Berg (LI/EAB) ingvar.berg at ericsson.com
Thu Jul 20 09:29:04 CDT 2006 

Hi Mark,

I think you have three options for a decent solution:

1. Have the file updated (more or less automated depending on directory
server features) by a tool that reads the necessary data from LDAP and
formats it to the file format.

2. <AuthBy DIY>, a module that reads the necessary data from LDAP and
updates it either at intervals or when notified.

3. Have Mike add a cache function for selectable LDAP attributes, so you
don't need to make the extra query for each authentication.

/Ingvar

> -----Original Message-----
> From: owner-radiator at open.com.au 
> [mailto:owner-radiator at open.com.au] On Behalf Of mark
> Sent: den 20 juli 2006 12:45
> To: radiator at open.com.au
> Subject: (RADIATOR) LDAP/ServerTACACSPLUS question
> 
> Hello List,
> 
> I am still trying to create a configuration where users
> (router/switch/operators) can authenticate and authorize 
> against an LDAP server. It works now but not too my 
> satisfaction. All the av-pair's are in the LDAP user-profile, 
> it would be better if the authorization was linked at the 
> group level. So ,first authenticate and then get the 
> authorization from the associated group.
> 
> What i've picked from the list, the AuthBy section in the cfg 
> should look something like this : 
> 
> <AuthBy LDAP2>
> #get user and group
> 
> </AuthBy>
> 
> 
> </AuthBy>
> <AuthBy FILE>
> # check group
> 	.....
> </AuthBy>
> 
> The thing is i want none of the info coming from a file but 
> all of it centralized in the LDAP-database.
> I know i can login as a user and as a group ; the group login 
> (with no PasswordAttr) and the group gets the appropriate 
> permissions on the switch/router I want to know how i can 
> have two subsequent queries of the ldap-server,  first for 
> the user-authentication, and then for the authorization via 
> the properties of the LDAP-group the user belongs to. 
>  
> Hope you can point me in the right direction.
> 
> Greetings Mark
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au To 
> unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe 
> radiator' in the body of the message.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list