Hi Heikki, I did something similar to this at NBNCo (you have the configs I think). In that one we used the LDAP to get the groups the users is a member of, and used the device group the request cam from to to do a lookup in SQL, From there we get AuthorizeGroupAttr rules.
Cheers. On Friday 08 July 2011 09:51:08 pm Heikki Vatiainen wrote: > On 07/07/2011 01:26 PM, Alexander Hartmaier wrote: > > we have the need to map users with membership in multiple groups into > > tacacs groups to decide if the user is allowed to login (authentication) > > and what the user is allowed to do (authorization). > > We solved the authentication by multiple authby ldap2's for the > > different ldap groups in an authby group. > > The first matched group populates the OSC-Group-Identifier attribute > > which is used for the GroupMemberAttr. > > Because some users are in multiple groups we're looking for a way to add > > all of them to the GroupMemberAttr, is this possible? > > This does not sound possible. Please see this example. Is this what you > are looking for? > > <Server TACACSPLUS> > GroupMemberAttr OSC-Group-Identifier > AuthorizeGroup group1 ... > # more rules for group1 > AuthorizeGroup group2 ... > # more rules for group2 > > And the Access-Reply messages would look like these > > User a: > OSC-Group-Identifier = group1 > User b: > OSC-Group-Identifier = group2 > User c: > OSC-Group-Identifier = group1 > OSC-Group-Identifier = group2 > > The user c would be allowed (group1 + group2). > > The above is not currently possible since Radiator currently only picks > up one attribute and uses its value. The second will not be used. > > Also, there's the question if both group1 and group2 contain permit and > deny rules how they would relate to each other. > > If the above is not what you are after, please tell us more. > > Thanks! -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
