'Re: Different reply items out of LDAP depending on the NAS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Different reply items out of LDAP depending on the NAS
From:       Peter Lambrechtsen <plambrechtsen () gmail ! com>
Date:       2009-08-28 19:16:52
Message-ID: a9a8c2eb0908281216l7c36d1a2t5d3036118a9f8cf9 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Sat, Aug 29, 2009 at 7:11 AM, Peter Lambrechtsen <plambrechtsen@gmail.com
> wrote:

> On Fri, Aug 28, 2009 at 10:38 PM, Ivan Kalik <tnt@kalik.net> wrote:
>
>> > I am trying to have a granular based reply items depending on the NAS
>> they
>> > connected to all driven using attributes in LDAP without needing to use
>> > realms.
>> >
>> > IE User A passes just User&Password to NAS A. and gets reply attr
>> > "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA"
>> > attribute in LDAP
>> > Same user logs into NAS B and gets back a "Service-Type=user" and the
>> > value
>> > user comes from an attribute "nasB".
>> >
>> > Looking through the ldap.attrmap it seems to be a static mapping for
>> > Service-Type to be staticly set to a single value from LDAP, but what
>> > happens if I want that value to be different depending on which NAS I
>> have
>> > connected from.
>> >
>> > Have searched around and havn't found any documents talking about how to
>> > have this grainular level of configuration.
>>
>> Well, you have custom attributes in Ldap - translate them to custom
>> attributes in radius (define them first in raddb/dictionary and map them
>> in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)
>>
>> Then use unlang to set service type:
>>
>> if(NAS-IP-Address == NAS A IP) {
>>     update reply {
>>          Service-Type = "%{reply:nasA}"
>>     }
>> }
>> elsif(NAS-IP-Address == NAS B IP) {
>> ...
>
>
> Another thought would be to have ldap group based authorize and attributes
> being passed back.
>
> IE the user has a"member" attributes specifying which services it has
> access to and which attributes to be passed back,
>
> This is the user in LDAP.
>
> dn: cn=user,o=users
> member: cn=admin,ou=nasA,o=radius
> member: cn=user,ou=nasB,o=radius
> member: cn=1,ou=nasC,o=radius
> member: cn=15,ou=nasC,o=radius
> member: cn=somethingelse,o=groups
>
> Then I think I would specify in the clients the update reply  ie:
>
> if(NAS-IP-Address == NAS A IP) {
>
> update reply {
>          Service-Type = "%{reply:nasA}"
>     }
> }
>


What I was actually meaning was:

if(NAS-IP-Address == NAS A IP) {
    if(member contains "ou=nasA,o=radius") {
      if(member = cn=admin,ou=nasA,o=radius)
        update reply {
         Service-Type = "admin"
       }
    }
   }
  }
}

Or something similar.

I assume I would update the post-auth section under sites-enabled/default?
Or would it be under clients.conf or the modules/ldap?


>
>
>
>
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>

[Attachment #5 (text/html)]

<div class="gmail_quote">On Sat, Aug 29, 2009 at 7:11 AM, Peter Lambrechtsen <span \
dir="ltr">&lt;<a href="mailto:plambrechtsen@gmail.com">plambrechtsen@gmail.com</a>&gt;</span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div \
class="gmail_quote"><div><div></div><div class="h5">On Fri, Aug 28, 2009 at 10:38 PM, \
Ivan Kalik <span dir="ltr">&lt;<a href="mailto:tnt@kalik.net" \
target="_blank">tnt@kalik.net</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;">

<div><div></div><div>&gt; I am trying to have a granular based reply items depending \
on the NAS they<br> &gt; connected to all driven using attributes in LDAP without \
needing to use<br> &gt; realms.<br>
&gt;<br>
&gt; IE User A passes just User&amp;Password to NAS A. and gets reply attr<br>
&gt; &quot;Service-Type=admin&quot;, and the admin comes from an LDAP Attribute \
&quot;nasA&quot;<br> &gt; attribute in LDAP<br>
&gt; Same user logs into NAS B and gets back a &quot;Service-Type=user&quot; and \
the<br> &gt; value<br>
&gt; user comes from an attribute &quot;nasB&quot;.<br>
&gt;<br>
&gt; Looking through the ldap.attrmap it seems to be a static mapping for<br>
&gt; Service-Type to be staticly set to a single value from LDAP, but what<br>
&gt; happens if I want that value to be different depending on which NAS I have<br>
&gt; connected from.<br>
&gt;<br>
&gt; Have searched around and havn&#39;t found any documents talking about how to<br>
&gt; have this grainular level of configuration.<br>
<br>
</div></div>Well, you have custom attributes in Ldap - translate them to custom<br>
attributes in radius (define them first in raddb/dictionary and map them<br>
in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)<br>
<br>
Then use unlang to set service type:<br>
<br>
if(NAS-IP-Address == NAS A IP) {<br>
     update reply {<br>
          Service-Type = &quot;%{reply:nasA}&quot;<br>
     }<br>
}<br>
elsif(NAS-IP-Address == NAS B IP) {<br>
...</blockquote></div></div><div><br>Another thought would be to have ldap group \
based authorize and attributes being passed back.<br><br>IE the user has \
a&quot;member&quot; attributes specifying which services it has access to and which \
attributes to be passed back, <br>

<br>This is the user in LDAP.<br><br>dn: cn=user,o=users<br>member: \
                cn=admin,ou=nasA,o=radius<br>member: cn=user,ou=nasB,o=radius<br>
member: cn=1,ou=nasC,o=radius<br>

member: cn=15,ou=nasC,o=radius<br>

member: cn=somethingelse,o=groups<br>
<br>Then I think I would specify in the clients the update reply  ie:<div \
class="im"><br><br>if(NAS-IP-Address == NAS A IP) {<br>  <br>update reply {<br>
          Service-Type = &quot;%{reply:nasA}&quot;<br>
     }<br>
}</div></div></div></blockquote><div><br><br>What I was actually meaning \
                was:<br><br>if(NAS-IP-Address == NAS A IP) {<br>
     if(member contains &quot;ou=nasA,o=radius&quot;) {<br>      if(member = \
cn=admin,ou=nasA,o=radius)<br>        update reply {<br>  Service-Type = \
&quot;admin&quot;<br>  }<br>    }<br>   }<br>  }<br>
}<br>
<br>Or something similar.<br><br>I assume I would update the post-auth section under \
sites-enabled/default?  Or would it be under clients.conf or the modules/ldap?<br> \
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div \
class="gmail_quote"><div><div class="im"><br> <br><br></div></div><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;"><br> <br><div class="im">
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html" \
target="_blank">http://www.freeradius.org/list/users.html</a><br> \
</div></blockquote></div><br> </blockquote></div><br>



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic