[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Huntgroups + LDAP
From:       Kostas Kalevras <kkalev () noc ! ntua ! gr>
Date:       2002-08-29 9:34:21
[Download RAW message or body]

On Thu, 29 Aug 2002 arise@compass.com.ph wrote:

>
> Hi,
>
> On Wed, 28 Aug 2002, Kostas Kalevras wrote:
>
> > A huntgroup (if we are talking about the same thing) is defined in the
> > huntgroups file in freeradius. Defining it in ldap is of no use. You can do much
> > more cleaver things with the huntgroups file. You could use though the
> > Huntgroup-Name and User-Profile attributes and define separate user profiles for
> > each hungroup. In more detail:
>
> Yes, we're talking about the same thing :)

Probably not :-)

The huntgroups are defined based on NAS ip adresses and ports. If i
understand you correctly you want group membership.

>
> FYI, my users are stored in LDAP and gets authenticated via
>
> 	Auth-Type := LDAP
>
> I already tried using the Huntgroup-Name attribute but it was never
> matched. IIRC, the group name was being checked against the system group
> file. How could I tell freeradius to check the group membership on an LDAP
> server? And check it for any match on the users file?
>
> What I'm trying to accomplish is to check every user who log in for their
> group membership then compare if it has a DEFAULT entry match on the users
> file, then run an external program which calculates its remaining time and
> return the Session-Timeout attribute.

You could also check the counter module, if you want to impose user time limits.

>
> Here's an entry from my users file:
>
> 	DEFAULT Huntgroup-Name == "testing"
>         Exec-Program-Wait = "/usr/local/sbin/testing %u %n %p",
>         Fall-Through = Yes
>
> I've read some docs re: Ldap-Group attribute but it requires that every
> user dn must be entered on its group dn.
>
> For example,
>
> dn: cn=users,ou=groups,dc=foo,dc=com
> objectClass: posixGroup
> objectClass: groupOfUniqueNames
> cn: users
> gidNumber: 1101
> memberUid: arise
> uniqueMember: uid=arise,ou=People,dc=foo,dc=com
>
> This works well if you have few users but what if you have 10,000+
> users in different hungtgroups? You need to add all of them on its
> own group dn.
>
> Is there any other way of doing this? Like checking the radiusHuntgroupName
> attribute then compare if it matches on the huntgroups file.
>
> Is there anything I miss here?
>
> Thanks for the time.
>
> regards,
>
> Ron
>

Check the groupmembership_attribute in doc/rlm_ldap. You should just add a group
membership attribute in the user entries with the name or DN of the group the
users belongs to.

--
Kostas Kalevras		Network Operations Center
kkalev@noc.ntua.gr	National Technical University of Athens, Greece
Work Phone:		+30 10 7721861
'Go back to the shadow'	Gandalf




[prev in list] [next in list] [prev in thread] [next in thread]