[RADIATOR] [External] Re: Different Reply Item based on LDAP (AD) Group membership
Johnson, Neil M
neil-johnson at uiowa.edu
Sat Mar 7 12:44:38 UTC 2020
I do have our various types of network equipment grouped by Client-Identifier. Right now I have a separate handler for each Client-Identifier that has an AddToReply statement to return the attribute required for admin level access.
Now the requirement is that, based on group membership, to provide levels of access to the devices.
So, your last statement: "Or alternatively, your PostAuthHook in the AuthBy LDAP2 clause would use the Client-Identifier together with the LDAP group information to query a UserGroup/DeviceGroup matrix in an SQL database for example." Is Ideally that is what I'm looking for...
If you could point me to an example(s) I'd greatly appreciate it!
On 3/6/20, 5:05 PM, "Hugh Irvine" <hugh at open.com.au> wrote:
Hi Neil -
It depends on how you are going to return the reply attribute(s)?
It also depends on how the reply attributes are stored, if not directly listed in the AuthBy LDAP2 clause?
If the reply attribute(s) is/are static in the configuration file, then yes multiple AuthBy LDAP2 clauses is the simplest way.
For more complex scenarios you may need to use a PostSearchHook and some form of external storage.
In the general case, each piece of network equipment would be listed with an Identifier tag to group them, and your configuration file would be based on Handlers using the Client-Identifier.
Or alternatively, your PostAuthHook in the AuthBy LDAP2 clause would use the Client-Identifier together with the LDAP group information to query a UserGroup/DeviceGroup matrix in an SQL database for example.
If you can give us a bit more detail we may be able to make better suggestions.
> On 7 Mar 2020, at 09:41, Johnson, Neil M <neil-johnson at uiowa.edu> wrote:
> What is the correct way to return a different reply attribute depending on a user’s AD member ship in group using AuthBy LDAP2 ?
> The idea is to give some users full privileges to network equipment or limited privileges based on AD group membership.
> <AuthBy LDAP2>
> Identifier uiowa_ad_users
> Host XXXXX.iowa.uiowa.edu
> AuthDN CN=serviceid,OU=ServiceIDs,OU=User Accounts,DC=iowa,DC=uiowa,DC=edu
> AuthPassword SECRET
> Port 389
> SSLVerify None
> BaseDN DC=iowa,DC=uiowa,DC=edu
> Scope base
> SearchFilter (objectclass=*)
> UsernameAttr sAMAccountName
> Do I use multiple AuthBy LDAP2 sections with different search filters in a AuthBy GROUP, or is there something I can do with AuthAttrDef ?
> Multiple Google searches have been inconclusive and I’m not sure what the best solution is according to the manual.
> radiator mailing list
> radiator at lists.open.com.au
hugh at open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
More information about the radiator