(RADIATOR) LDAP/ServerTACACSPLUS question

Hugh Irvine hugh at open.com.au
Thu Jul 20 18:55:55 CDT 2006


Hello Mark -

You simply need two AuthBy LDAP 2 clauses, something like this:


# define Realm or Handler

<Realm ...>

	AuthByPolicy ContinueWhileAccept

	<AuthBy LDAP2>
		# get user and group
		.....
	</AuthBy>

	<AuthBy LDAP2>
		# check group
		.....
		SearchFilter (....)
	</AuthBy>

</Realm>


You can add the group information to the current request in the first  
AuthBy clause and then use the information to check it in the second  
AuthBy clause.

hope that helps

regards

Hugh


On 20 Jul 2006, at 20:44, mark wrote:

> Hello List,
>
> I am still trying to create a configuration where users
> (router/switch/operators) can authenticate and authorize against an  
> LDAP
> server. It works now but not too my satisfaction. All the av-pair's  
> are
> in the LDAP user-profile, it would be better if the authorization
> was linked at the group level. So ,first authenticate and then get the
> authorization from the associated group.
>
> What i've picked from the list, the AuthBy section in the cfg
> should look something like this :
>
> <AuthBy LDAP2>
> #get user and group
>
> </AuthBy>
>
>
> </AuthBy>
> <AuthBy FILE>
> # check group
> 	.....
> </AuthBy>
>
> The thing is i want none of the info coming from a file but all
> of it centralized in the LDAP-database.
> I know i can login as a user and as a group ; the group login
> (with no PasswordAttr) and the group gets the appropriate  
> permissions on the switch/router
> I want to know how i can have two subsequent queries of the ldap- 
> server,
>  first for the user-authentication, and then for the authorization  
> via the properties
> of the LDAP-group the user belongs to.
>
> Hope you can point me in the right direction.
>
> Greetings Mark
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list