On 07/07/2011 01:26 PM, Alexander Hartmaier wrote: > we have the need to map users with membership in multiple groups into > tacacs groups to decide if the user is allowed to login (authentication) > and what the user is allowed to do (authorization). > We solved the authentication by multiple authby ldap2's for the > different ldap groups in an authby group. > The first matched group populates the OSC-Group-Identifier attribute > which is used for the GroupMemberAttr. > Because some users are in multiple groups we're looking for a way to add > all of them to the GroupMemberAttr, is this possible?
This does not sound possible. Please see this example. Is this what you are looking for? <Server TACACSPLUS> GroupMemberAttr OSC-Group-Identifier AuthorizeGroup group1 ... # more rules for group1 AuthorizeGroup group2 ... # more rules for group2 And the Access-Reply messages would look like these User a: OSC-Group-Identifier = group1 User b: OSC-Group-Identifier = group2 User c: OSC-Group-Identifier = group1 OSC-Group-Identifier = group2 The user c would be allowed (group1 + group2). The above is not currently possible since Radiator currently only picks up one attribute and uses its value. The second will not be used. Also, there's the question if both group1 and group2 contain permit and deny rules how they would relate to each other. If the above is not what you are after, please tell us more. Thanks! -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
