忘记密码   免费注册 查看新帖 |

ChinaUnix.net

  平台 论坛 博客 文库 频道自动化运维 虚拟化 储存备份 C/C++ PHP MySQL 嵌入式 Linux系统
最近访问板块 发新帖
查看: 523 | 回复: 0

[其他] freeradius + samba winbind ad域认证成功后如何限制组认证 [复制链接]

论坛徽章:
0
发表于 2018-07-11 20:01 |显示全部楼层
本帖最后由 liarlen 于 2018-07-11 20:38 编辑

freeradius 用作vpn用户验证
架构如下:

vpn client  <=>   mschap  <=> vpn server  <=>  freeradius <=> winbind <=> active dirctory  


现在的情况是


只要是域账户就能通过验证



我希望只有vpn组能通过验证


下面是我找到的解决方法,

但不知道这个语句


>>  if (Winbind-Group == "my-user-group") {

>    ...

>  }


写到哪个配置文件


有知道的 请不吝赐教



There is now code in the rlm_winbind module in v3.1.x that permits


> checking AD group membership in a similar way that you can

> currently do with LDAP. So if you don't want to configure LDAP,

> but do have a need to check AD groups, this might be useful.

>> I haven't done any benchmark tests, so have no idea whether it is

> any faster than using LDAP or not. For the first group request I

> suspect it may be slower due to the winbind gid remapping. For

> subsequent requests, which winbind still has the user's groups

> cached (a few minutes at least it seems) then group searches are

> very fast.>> Usage is similar to rlm_ldap. Enable the winbind module in

> mods-enabled, then you can:

>>  if (Winbind-Group == "my-user-group") {

>    ...

>  }

>> for an instance of rlm_winbind e.g.

>>  winbind mywb {

>    ...

>  }

>> you can use:

>>  if (mywb-Winbind-Group == "my-user-group") {
>    ...
>  }

>> Running with -Xx gives more debug information including a list of

> all the groups being checked for the user (until a match is> found).

>> In addition, rlm_winbind will now try and find the current windows

> domain directly from winbind, so there should be no need to

> configure it with winbind_domain (this is not the case for the

> same option in rlm_mschap, yet...).

>> Testing and feedback welcome.Looks good!  

IIRC this allows checks against nested groups too, right?-Arran








您需要登录后才可以回帖 登录 | 注册

本版积分规则

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号 北京市公安局海淀分局网监中心备案编号:11010802020122
广播电视节目制作经营许可证(京) 字第1234号 中国互联网协会会员  联系我们:wangnan@it168.com
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP