免费注册 查看新帖 |

ChinaUnix.net

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 5321 | 回复: 0

[其他] freeradius + samba winbind ad域认证成功后如何限制组认证 [复制链接]

论坛徽章:
0
发表于 2018-07-11 20:01 |显示全部楼层
本帖最后由 liarlen 于 2018-07-11 20:38 编辑

freeradius 用作vpn用户验证
架构如下:

vpn client  <=>   mschap  <=> vpn server  <=>  freeradius <=> winbind <=> active dirctory  


现在的情况是


只要是域账户就能通过验证



我希望只有vpn组能通过验证


下面是我找到的解决方法,

但不知道这个语句


>>  if (Winbind-Group == "my-user-group") {

>    ...

>  }


写到哪个配置文件


有知道的 请不吝赐教



There is now code in the rlm_winbind module in v3.1.x that permits


> checking AD group membership in a similar way that you can

> currently do with LDAP. So if you don't want to configure LDAP,

> but do have a need to check AD groups, this might be useful.

>> I haven't done any benchmark tests, so have no idea whether it is

> any faster than using LDAP or not. For the first group request I

> suspect it may be slower due to the winbind gid remapping. For

> subsequent requests, which winbind still has the user's groups

> cached (a few minutes at least it seems) then group searches are

> very fast.>> Usage is similar to rlm_ldap. Enable the winbind module in

> mods-enabled, then you can:

>>  if (Winbind-Group == "my-user-group") {

>    ...

>  }

>> for an instance of rlm_winbind e.g.

>>  winbind mywb {

>    ...

>  }

>> you can use:

>>  if (mywb-Winbind-Group == "my-user-group") {
>    ...
>  }

>> Running with -Xx gives more debug information including a list of

> all the groups being checked for the user (until a match is> found).

>> In addition, rlm_winbind will now try and find the current windows

> domain directly from winbind, so there should be no need to

> configure it with winbind_domain (this is not the case for the

> same option in rlm_mschap, yet...).

>> Testing and feedback welcome.Looks good!  

IIRC this allows checks against nested groups too, right?-Arran








您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

基于案例的 SQL 优化实战训练营

讲师:中电福富特级专家梁敬彬,参与本次课程培训,你将收获:
1. 能编写出较为高效的 SQL;
2. 能解决70%以上的数据库常见优化问题;
3. 能得到老师提供的高效的相关工具和解决方案;
4. 能举一反三,收获不仅仅是 SQL 优化。
现在购票享受8.8折优惠!
----------------------------------------
优惠时间:2019年3月20日前

大会官网>>
  

北京盛拓优讯信息技术有限公司. 版权所有 16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122
中国互联网协会会员  联系我们:huangweiwei@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP