(RADIATOR) Multiple groups from LDAP

Hugh Irvine hugh at open.com.au
Mon Apr 16 20:44:30 CDT 2007 

Hello Brent -

You are correct - you will need an AuthBy LDAP for each case.

If you are concerned about performance, you could use a StartupHook  
to load the group definitions into memory from the LDAP server, and  
then use a PostAuthHook to apply them.

There are numerous example hooks in the Radiator distribution in  
"goodies/hooks.txt".

hope that helps

regards

Hugh


On 17 Apr 2007, at 10:23, Brent Miller wrote:

> Question regarding multiple groups.
>
> We have Radiator authenticating a Cisco ASA off of an LDAP server  
> (OS X OD if it makes a difference).  Works wonderfully for yes/no  
> access.  I'm starting on having Radiator push specific DACLs for  
> users depending on what groups they belong to.  The hard part is  
> the groups have to be additive with thier DACLs (being in both  
> group A and B needs to give access to server A and B).
>
> What's the recommended method for this?  I'm figure worse case is  
> an <AuthBy Group> with an <AuthBy LDAP> for each access group, with  
> an specifc AddToReply cisco-avpair in each one, but I'm hoping  
> there's a cleaner way than making a ldap call for each group each  
> time a user tries to log in.
>
>
>
> Brent Miller
> Network Support Engineer
> United States Institute of Peace
> (202) 429-1970
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list