Re: noob with some questions

["P. K." <pbk105@psu.edu>]

George,

Thanks for your reply. Unfortunately, the FreeRadius documentation and 
support is so abysmal and my experience too limited to make good use of 
the advice you gave. Each OSS package has its benefits and weaknesses I 
guess. For instance I've used ISC DHCP server for years and it has 
stellar support from the programmer, great on-line information and 
documentation so much so that I can't imagine using anything else. I 
guess I was hoping FreeRadius would have the same support. Without a 
doubt it doesn't. I've spent about two weeks now struggling to make the 
software do what I want and at this point I give up. I'm moving on to 
Radiator. I just can't spend any more time spinning my wheels.

Perhaps in the future the FreeRadius writer's will realize how useless 
their software is with the level of documentation and support they are 
providing and choose to make improvements or maybe they'll just continue 
to operate on a "you get what you pay for basis." Either way it's not 
worth the frustration. It's a shame really because it's obvious that it 
is a really good piece of software.

Anyway, thanks again for the reply.


--Paul

Paul Kuchinski
Network Administrator
Smeal College of Business Administration
Penn State University

email: pbk105@psu.edu
phone: (814)865-0366
fax:   (814)865-1845



George C. Kaplan wrote:
> On Jul 31, 2006, at 10:08 AM, P. K. wrote:
>
> > Hi All,
> >
> > I've been setting up my College's first FreeRadius server and I've 
> > been having a hard time wrapping my brain around the config with the 
> > documentation that is available. If you'll bear with me here through 
> > this super long post, I'll go into more depth.
> >
> > What I'm trying to do:
> > I want to configure FreeRadius to Authorize a user against an LDAP 
> > directory based on IF that user has the following values:
> >
> > edupersonprimaryaffiliation: STAFF
> > AND
> > psadminarea: BUSINESS - SMEAL COLLEGE
> >
> > OR
> >
> > edupersonprimaryaffiliation: Faculty
> > AND
> > psadminarea: BUSINESS - SMEAL COLLEGE
> >
> > If the user's values don't match either of these two condition, they 
> > are rejected. If they match either, then they are authenticated 
> > agains a kerberos server.
>
> This is very similar to our situation:  you need to authorize based on 
> some combination of a user's attributes that are found in LDAP, but 
> that *aren't* present for comparison in the RADIUS request.  Our 
> solution is to use rlm_perl for the comparison.
>
> You already have part of the solution:  you've got LDAP retrieving the 
> relevant LDAP data into locally-defined RADIUS attributes.  Now you 
> just need to write a perl script to check the appropriate members of 
> the %RAD_CHECK hash, and configure an Autz-Type that uses your LDAP 
> module, followed by your rlm_perl module.
>
> --George C. Kaplan                            gckaplan@ack.berkeley.edu
> Communication & Network Services            510-643-0496
> University of California at Berkeley