[RADIATOR] AuthBy LSA and BaseDN

Heikki Vatiainen hvn at open.com.au
Thu Sep 13 07:53:40 CDT 2012


On 09/12/2012 08:03 PM, Craig Simons wrote:

> Basically, our AD permission structure is such that not all OU
> containers are "trusted" enough to allow wireless authentication. So, I
> only want to allow authentication based on user entries in a specific OU
> as opposed to users who are members of a group (not quite the same thing
> I'm led to believe).

Yes, I think these are different things. The LDAP tree structure AD uses
tells where the users can be found and the user then has e.g., group
membership as attribute.

> We (currently) run Radiator on Windows servers and therefore use the LSA
> module for AD authentication. The manual doesn't have any specific
> configuration options for this module that appear to be able to limit
> searches.

The AD directory tree structure is not visible via LSA API. We thought
about two options:
1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if
the user has a DN (location in the tree) with allowed OU component. This
does require configuration work and maybe hooks too, but should be possible.

2. Create a new group and place all users that are not allowed to use
wireless LAN in that group. We could then add 'BlacklistGroup'
functionality in AuthBy LSA. If a user is a member of blacklisted group,
access would not be allowed.

Do you think option 2 would solve your problem?

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list