(RADIATOR) authby LSA nested groups
Hugh Irvine
hugh at open.com.au
Thu Nov 1 16:19:47 CST 2007
Hello Sean -
On 2 Nov 2007, at 03:45, Kliger, Sean C wrote:
> Gentlemen--
>
> We're setting up a remote access server and using <AuthBy LSA> and
> that's working. What we'd like to do though, is use nested groups
> (aka
> groups within a group) and it's my understanding that Radiator is
> currently unable to do this so we've currently defined groups in
> Radiator. What we'd like is to have a globabl AD group such as
> 'webvpn'
> and then let various admins dump their users or OUs into the global
> group. So, two questions:
>
> 1. Is my understanding of Radiator and nested groups correct?
Yes.
Here is the code from "Radius/AuthLSA.pm":
#####################################################################
# Check if the user is in the global group
sub userIsInGroup
{
my ($self, $user, $group) = @_;
require Win32::NetAdmin;
import Win32::NetAdmin;
my ($domain, $username) = $self->crack_name($user);
# Find the controller to use
my $controller = $self->{DomainController};
if (!defined $controller)
{
$controller = $self->{controllers}{$domain};
if (!defined $controller)
{
&Win32::NetAdmin::GetDomainController(undef, $domain,
$controller);
$self->{controllers}{$domain} = $controller;
}
}
return &Win32::NetAdmin::GroupIsMember($controller, $group,
$username)
|| &Win32::NetAdmin::LocalGroupIsMember($controller, $group,
$username);
}
> 2. If so, are there plans to support nested groups?
>
Not at this time.
>
> The appropriate section of radius.cfg is:
>
> <Handler Client-Identifier=webvpn-servers>
>
> <AuthBy LSA>
> Domain xxx
>
> Group ADM
> Group CRD
> #[more groups here but removed for size]
> </AuthBy>
>
> # Log it
> AuthLog webvpn-authlog
> AcctLogFileName %L/Acct/%Y-%m-%d-acct
> </Handler>
>
>
You could do some experiments with the AuthBy LDAP2 clause which
allows you to specify your own SearchFilter to do the Group checks:
<Handler Client-Identifier=webvpn-servers>
AuthByPolicy ContinueWhileAccept
<AuthBy LSA>
Domain xxx
.....
</AuthBy>
<AuthBy LDAP2>
.....
# do Group checks
SearchFilter .....
.....
</AuthBy>
# Log it
AuthLog webvpn-authlog
AcctLogFileName %L/Acct/%Y-%m-%d-acct
</Handler>
regards
Hugh
>
> --Sean
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list