Re: noob with some questions
On Jul 31, 2006, at 10:08 AM, P. K. wrote:
Hi All,
I've been setting up my College's first FreeRadius server and I've
been having a hard time wrapping my brain around the config with
the documentation that is available. If you'll bear with me here
through this super long post, I'll go into more depth.
What I'm trying to do:
I want to configure FreeRadius to Authorize a user against an LDAP
directory based on IF that user has the following values:
edupersonprimaryaffiliation: STAFF
AND
psadminarea: BUSINESS - SMEAL COLLEGE
OR
edupersonprimaryaffiliation: Faculty
AND
psadminarea: BUSINESS - SMEAL COLLEGE
If the user's values don't match either of these two condition,
they are rejected. If they match either, then they are
authenticated agains a kerberos server.
This is very similar to our situation: you need to authorize based
on some combination of a user's attributes that are found in LDAP,
but that *aren't* present for comparison in the RADIUS request. Our
solution is to use rlm_perl for the comparison.
You already have part of the solution: you've got LDAP retrieving
the relevant LDAP data into locally-defined RADIUS attributes. Now
you just need to write a perl script to check the appropriate members
of the %RAD_CHECK hash, and configure an Autz-Type that uses your
LDAP module, followed by your rlm_perl module.
--
George C. Kaplan gckaplan@ack.berkeley.edu
Communication & Network Services 510-643-0496
University of California at Berkeley
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.