[RADIATOR] AuthBy LSA and BaseDN

[Heikki Vatiainen]

On 09/12/2012 08:03 PM, Craig Simons wrote:

> Basically, our AD permission structure is such that not all OU
> containers are "trusted" enough to allow wireless authentication. So, I
> only want to allow authentication based on user entries in a specific OU
> as opposed to users who are members of a group (not quite the same thing
> I'm led to believe).

Yes, I think these are different things. The LDAP tree structure AD uses
tells where the users can be found and the user then has e.g., group
membership as attribute.

> We (currently) run Radiator on Windows servers and therefore use the LSA
> module for AD authentication. The manual doesn't have any specific
> configuration options for this module that appear to be able to limit
> searches.

The AD directory tree structure is not visible via LSA API. We thought
about two options:
1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if
the user has a DN (location in the tree) with allowed OU component. This
does require configuration work and maybe hooks too, but should be possible.

2. Create a new group and place all users that are not allowed to use
wireless LAN in that group. We could then add 'BlacklistGroup'
functionality in AuthBy LSA. If a user is a member of blacklisted group,
access would not be allowed.

Do you think option 2 would solve your problem?

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.