(RADIATOR) authby LSA nested groups

Hugh Irvine hugh at open.com.au
Thu Nov 1 16:19:47 CST 2007


Hello Sean -


On 2 Nov 2007, at 03:45, Kliger, Sean C wrote:

> Gentlemen--
>
> We're setting up a remote access server and using <AuthBy LSA> and
> that's working.  What we'd like to do though, is use nested groups  
> (aka
> groups within a group) and it's my understanding that Radiator is
> currently unable to do this so we've currently defined groups in
> Radiator.  What we'd like is to have a globabl AD group such as  
> 'webvpn'
> and then let various admins dump their users or OUs into the global
> group.  So, two questions:
>
> 1. Is my understanding of Radiator and nested groups correct?

Yes.

Here is the code from "Radius/AuthLSA.pm":

#####################################################################
# Check if the user is in the global group
sub userIsInGroup
{
     my ($self, $user, $group) = @_;

     require Win32::NetAdmin;
     import Win32::NetAdmin;

     my ($domain, $username) = $self->crack_name($user);
     # Find the controller to use
     my $controller = $self->{DomainController};
     if (!defined $controller)
     {
         $controller = $self->{controllers}{$domain};
         if (!defined $controller)
         {
             &Win32::NetAdmin::GetDomainController(undef, $domain,  
$controller);
             $self->{controllers}{$domain} = $controller;
         }
     }
     return &Win32::NetAdmin::GroupIsMember($controller, $group,  
$username)
         || &Win32::NetAdmin::LocalGroupIsMember($controller, $group,  
$username);
}



> 2. If so, are there plans to support nested groups?
>

Not at this time.

>
> The appropriate section of radius.cfg is:
>
> <Handler Client-Identifier=webvpn-servers>
>
> 	<AuthBy LSA>
> 		Domain xxx
> 		
> 		Group ADM
> 		Group CRD
> 		#[more groups here but removed for size]
> 	</AuthBy>	
>
> 	# Log it
> 	AuthLog			webvpn-authlog
> 	AcctLogFileName		%L/Acct/%Y-%m-%d-acct
> </Handler>
>
>

You could do some experiments with the AuthBy LDAP2 clause which  
allows you to specify your own SearchFilter to do the Group checks:


<Handler Client-Identifier=webvpn-servers>

	AuthByPolicy ContinueWhileAccept

	<AuthBy LSA>
		Domain xxx
		.....
	</AuthBy>	

	<AuthBy LDAP2>
		.....
		# do Group checks
		SearchFilter .....
		.....
	</AuthBy>

	# Log it
	AuthLog			webvpn-authlog
	AcctLogFileName		%L/Acct/%Y-%m-%d-acct

</Handler>


regards

Hugh


>
> --Sean
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list