authorization depending on authentication (ldap)

tschaos at gmx.net tschaos at gmx.net
Thu Jan 5 13:30:36 CET 2006


> I assume you meant
>
> if authentication runs over ldap1 authorize on ldap1
> if authentication runs over ldap2 authorize on ldap2
> if authentication runs over ldap3 authorize on ldap3

sorry my fault - should check my copy-paste better ;-)


> The authenticate processing should set Auth-Type to an unique value
> for each instance.  If you're using the default schema, then you can
> do that by adding a radiusAuthType ldap attribute to each user.  Or
> maybe better:  Use a default profile to set the appropriate
> radiusAuthType for each ldap instance.
> 
> E.g. add something like this to the directories:
> 
> ldap1:
>         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
>         radiusAuthType: LDAP1
> 
> ldap2:
>         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
>         radiusAuthType: LDAP2
>
> ldap3:
>         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
>         radiusAuthType: LDAP3

hm, i dont understand where i should add this kind of lines. i guess they
should be in the users file as an default entry.

can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in the
users file.

thanks in advance

Stefan

> --- Ursprüngliche Nachricht ---
> Von: Bjørn Mork <bjorn at mork.no>
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: authorization depending on authentication (ldap)
> Datum: Thu, 05 Jan 2006 11:56:33 +0100
> 
> tschaos at gmx.net writes:
> 
> > i am running freeradius-1.0.2-5.5
> 
> > there are 3 ldap instances:
> > ldap1,ldap2,ldap3.
> >
> > and authenticate them all after another in the authentication section
> like
> > this:
> >
> > authenticate {
> >                 ldap1
> >                 ldap2
> >                 ldap3
> > }
> >
> > same in authorize-section:
> >
> > authorize {
> >                 ldap1
> >                 ldap2
> >                 ldap3
> > }
> >
> > now my problem is, that if the user x is authenticated at ldap2 for
> instance
> > the authorization fails cause the user isnt found at ldap1 (freeradius
> > doesnt seem to try authorizing on ldap2 or ldap3)
> >
> > what i need would be a solution how to realize the following needs:
> >
> > if authentication runs over ldap1 authorize on ldap1
> > if authentication runs over ldap1 authorize on ldap2
> > if authentication runs over ldap1 authorize on ldap3
> >
> > how can i do that?
> 
> I assume you meant 
> 
>  if authentication runs over ldap1 authorize on ldap1
>  if authentication runs over ldap2 authorize on ldap2
>  if authentication runs over ldap3 authorize on ldap3
> 
> 
> The authenticate processing should set Auth-Type to an unique value
> for each instance.  If you're using the default schema, then you can
> do that by adding a radiusAuthType ldap attribute to each user.  Or
> maybe better:  Use a default profile to set the appropriate
> radiusAuthType for each ldap instance.
> 
> E.g. add something like this to the directories:
> 
> ldap1:
>         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
>         radiusAuthType: LDAP1
> 
> ldap2:
>         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
>         radiusAuthType: LDAP2
> 
> ldap3:
>         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
>         radiusAuthType: LDAP3
> 
> And then in radiusd.conf:
> 
> modules {
>         ..
>         ldap ldap1 {
>                 ..
>                 default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>                 ..
>         }
>         ldap ldap2 {
>                 ..
>                 default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>                 ..
>         }
>         ldap ldap3 {
>                 ..
>                 default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
>                 ..
>         }
> }
> ..
> authorize {
>           Auth-Type LDAP1 {
>                  ldap1
>           }
>           Auth-Type LDAP2 {
>                  ldap2
>           }
>           Auth-Type LDAP3 {
>                  ldap3
>           }
> }
> 
> 
> 
> 
> Note: This would be a lot easier with freeradius-1.1, where I believe
> something like this would have been sufficient since rlm_ldap now sets
> Auth-Type to the instance name by default:
> 
> authorize {
>           Auth-Type ldap1 {
>                  ldap1
>           }
>           Auth-Type ldap2 {
>                  ldap2
>           }
>           Auth-Type ldap3 {
>                  ldap3
>           }
> }
> 
> 
> 
> Bjørn
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

-- 
Telefonieren Sie schon oder sparen Sie noch?
NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie



More information about the Freeradius-Users mailing list