FreeRadius, LDAP, VLAN

Filip Flajšar linux na ssos.cz
Středa Únor 11 15:32:05 CET 2009 

Dobry den,
chtel bych nastavit FreeRadius s LDAPem tak, aby na zaklade skupiny do ktere uzivatel patril, byl prirazen do VLAN.
Kdyz otestuji uzivatele, kteremu jsem nastavil:

radiusTunnelMediumType: IEEE-802
radiusTunnelPrivateGroupId: 2
radiusTunnelType: VLAN

Snoopy:~# radtest fido heslo localhost 0 testing123
Sending Access-Request of id 30 to 127.0.0.1 port 1812
	User-Name = "fido"
	User-Password = "heslo"
	NAS-IP-Address = 255.255.255.255
	NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=30, length=38
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Service-Type = Framed-User

Nechapu proc ne PrivateGroupId.

U uzivatele mam gidNumber: 513
tak gidNumber 513 mam i ve skupine.

Snoopy:~# tail /etc/freeradius/ldap.attrmap 
replyItem	Login-LAT-Group			radiusLoginLATGroup
replyItem	Framed-AppleTalk-Link		radiusFramedAppleTalkLink
replyItem	Framed-AppleTalk-Network	radiusFramedAppleTalkNetwork
replyItem	Framed-AppleTalk-Zone		radiusFramedAppleTalkZone
replyItem	Port-Limit			radiusPortLimit
replyItem	Login-LAT-Port			radiusLoginLATPort
replyItem	Reply-Message			radiusReplyMessage
replyItem	Tunnel-Medium-Type		radiusTunnelMediumType
replyItem	Tunnel-Pvt-Group-ID		radiusTunnelPrivateGroupId
replyItem	Tunnel-Type			radiusTunnelType


ldap {
server = "127.0.0.1"
identity = "cn=Manager,dc=fido,dc=lan"
password = tanjneheslo
basedn = "ou=People,dc=fido,dc=lan"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(posixAccount)(uid=%u))
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = ou
# groupmembership_filter = "(|(&(objectClass=*)(member=%{Ldap-UserDn}))(&(objectClass=*)(uid=%{Ldap-UserDn})))"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(unique member=%{Ldap-UserDn})))"
groupmembership_attribute = gidNumber
timeout = 4
timelimit = 3
net_timeout = 1
}


Myslim si, ze mam chybu v direktivite groupmembership_filter, ale nedokazal jsem najit co a jak tam dat.
Jde mi primarne o to, ze bych skupine nastavil

Tunnel-Type
Tunnel-Medium-Type
Service-Type
Tunnel-Pvt-Group-Id

a tim bych uzivatele rozhazel do jednotlivych VLAN podle skupiny.
System je Debian Etch 4.0
FreeRADIUS Version 1.1.3
OpenLDAP: slapd 2.3.30

Jestli jsem na neco zapomel, tak se omlouvam :-)
Diky za nasmerovani.

S pozdravem
-- Filip

Další informace o konferenci Linux