clash between group LDAP

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

clash between group LDAP

Rohaizam Abu Bakar
Dear all,

 I've LDAP tree structure as below, to seperate ADSL & DIALUP. But
encounter one problem.. when userA = userB, LDAP will found userA's
account although userB that actually login. This maybe due to DEFAULT
sequence in users file.

 Any idea to solve this ? thanks..


                                ou=AAA
                                     |
                                     |
                    ----------------------------------
                    |                                                 |
                 ou=ADSL                            ou=DIALUP

 dn: uid=userA,ou=ADSL,ou=AAA ...          dn:
uid=userB,ou=DIALUP,ou=AAA....
 serviceflag: ADSL                                       serviceflag: DIALUP


 Users:
====

  DEFAULT         ldapadsl-Ldap-Group == "ADSL", Autz-Type := ADSL,
Auth-Type := ADSL
  DEFAULT         ldapdialup-Ldap-Group == "DIALUP", Autz-Type := DIALUP,
Auth-Type := DIALUP


 radiusd.conf
========
         ldap ldapadsl {
                 basedn = "ou=ADSL,ou=AAA,ou=People,dc=jaring,dc=my"
                 groupname_attribute = serviceflag

         }
         ldap ldapdialup {
                 basedn = "ou=DIALUP,ou=AAA,ou=People,dc=jaring,dc=my"
                 groupname_attribute = serviceflag


 authorize {

         Autz-Type ADSL {
                 ldapadsl
         }
         Autz-Type DIALUP {
                 ldapdialup
         }

 }

 authenticate {

         Auth-Type ADSL {
                 ldapadsl
         }
         Auth-Type DIALUP {
                 ldapdialup
         }

 }



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: clash between group LDAP

Dusty Doris

> Dear all,
>
>  I've LDAP tree structure as below, to seperate ADSL & DIALUP. But
> encounter one problem.. when userA = userB, LDAP will found userA's
> account although userB that actually login. This maybe due to DEFAULT
> sequence in users file.
>
>  Any idea to solve this ? thanks..
>
>
>                                 ou=AAA
>                                      |
>                                      |
>                     ----------------------------------
>                     |                                                 |
>                  ou=ADSL                            ou=DIALUP
>
>  dn: uid=userA,ou=ADSL,ou=AAA ...          dn:
> uid=userB,ou=DIALUP,ou=AAA....
>  serviceflag: ADSL                                       serviceflag: DIALUP
>


I'm curious as to why you've structured it that way?  It seems to me that
you would want one tree for users and then define what services the users
have in their profile.  That way a user can be both adsl and dial, without
having to be present in both trees.

Rather than creating a new tree for each service, it makes more sense to
define your tree based on users.  Then each service they have access to is
merely an attribute of that user.

Imagine what it will look like if you try to scale that and add 10
different services such as FTP, webhosting, portal logins, vpn, etc...

the ldap_howto.txt doc explains how you can do this, but here is a
summary.


dn: uid=user1,ou=radius,dc=yourdomain
uid: user1
objectclass: radiusprofile
userpassword: pass
radiusgroupname: dial
radiusgroupname: adsl

dn: uid=user2,ou=radius,dc=yourdomain
uid: user2
objectclass: radiusprofile
userpassword: pass
radiusgroupname: dial
radiusgroupname: vpn

Then you need something to determine if this is coming from a dial nas,
adsl nas, vpn nas, etc...  Usually you can use nas-ip-address or
nas-port-type or something along that lines.

Say you had two dial NAS and one ADSL nas.

in huntgroups.

dial NAS-IP-Address == 10.0.0.1
dial NAS-IP-Address == 10.0.0.2

adsl NAS-IP-Address == 10.0.0.3

in users

DEFAULT Huntgroup-Name == dial, Ldap-Group == dial

DEFAULT Huntgroup-Name == adsl, Ldap-Group == adsl

DEFAULT Auth-Type := Reject

That config above would do the following:

1.  If the access-request comes from your dial nas, check to see if the
user has radiusgroupname: dial.  If so, authorize.  If not, reject.

2.  If the access-request comes from your adsl nas, check to see if the
user has radiusgroupname: adsl.  If so, authorize.  If not, reject.

I think you'd be much happier with a format like that, especially if there
is any chance that you might start adding new services.

-Dusty
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html