(RADIATOR) LDAP/ServerTACACSPLUS question
Ingvar Berg (LI/EAB)
ingvar.berg at ericsson.com
Thu Jul 20 09:29:04 CDT 2006
I think you have three options for a decent solution:
1. Have the file updated (more or less automated depending on directory
server features) by a tool that reads the necessary data from LDAP and
formats it to the file format.
2. <AuthBy DIY>, a module that reads the necessary data from LDAP and
updates it either at intervals or when notified.
3. Have Mike add a cache function for selectable LDAP attributes, so you
don't need to make the extra query for each authentication.
> -----Original Message-----
> From: owner-radiator at open.com.au
> [mailto:owner-radiator at open.com.au] On Behalf Of mark
> Sent: den 20 juli 2006 12:45
> To: radiator at open.com.au
> Subject: (RADIATOR) LDAP/ServerTACACSPLUS question
> Hello List,
> I am still trying to create a configuration where users
> (router/switch/operators) can authenticate and authorize
> against an LDAP server. It works now but not too my
> satisfaction. All the av-pair's are in the LDAP user-profile,
> it would be better if the authorization was linked at the
> group level. So ,first authenticate and then get the
> authorization from the associated group.
> What i've picked from the list, the AuthBy section in the cfg
> should look something like this :
> <AuthBy LDAP2>
> #get user and group
> <AuthBy FILE>
> # check group
> The thing is i want none of the info coming from a file but
> all of it centralized in the LDAP-database.
> I know i can login as a user and as a group ; the group login
> (with no PasswordAttr) and the group gets the appropriate
> permissions on the switch/router I want to know how i can
> have two subsequent queries of the ldap-server, first for
> the user-authentication, and then for the authorization via
> the properties of the LDAP-group the user belongs to.
> Hope you can point me in the right direction.
> Greetings Mark
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au To
> unsubscribe, email 'majordomo at open.com.au' with 'unsubscribe
> radiator' in the body of the message.
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator