using different LDAP queries to authorize for different services

Sylvain Robitaille syl at alcor.concordia.ca
Wed Apr 2 19:59:59 CEST 2008


I'm back.  Small reminder, since it appears that list members are
helping a sufficient number of folks that remembering my particular
setup would be non-trivial:

   - I'm running FreeRADIUS-2.0.3 (rlm_pap is patched as was discussed on
     this mailing list), with TTLS/PAP using OpenLDAP as the source of
     user authorization and authentication.
   - My configuration files are nearly "stock", with the exception of the
     necessary configuration to get the ldap module talking to the LDAP
     server.
   - This setup has been running like this now for a couple of days
     without any trouble.

What I'm aiming to accomplish, however, is that the FreeRADIUS server
will authorize users for different services based on a slightly
different LDAP query.  The users are in various groups, which can be
checked by supplying an LDAP query filter that checks the "memberOf"
attribute;  Users in group "wireless" should be permitted to use the
wireless service; users in group "vpn" should be able to use the VPN
service; users in both groups could use either, and users in neither
group should be refused for either, etc.

I've been trying to configure this by adding instances of the ldap
module configuration ("ldap ldap_wireless" for example) in the "modules"
section of radiusd.conf, and setting "Autz-Type" in the users file based
on the NAS-IP-Address ("huntgroups" would likely be more appropriate
for our wireless access points, but at the moment I'm trying to do this
one step at a time, and in fact am testing with only 127.0.0.1 as the
NAS-IP-Address anyway).  Running radiusd in debug mode shows that the
ldap module is using the configuration for its un-named instance (the
default one from the stock config files, with minimal configuration to
permit it to lookup users in our LDAP).

I can tell the difference in which LDAP module configuration stanza is
used by the query filter shown in the debug output.

If the correct way to accomplish what I'm trying for is documented
somewhere, I may have overlooked it, so I would appreciate it if someone
could point me at it.  I'm happy to read documentation, especially if it
leads me to better understand how to accomplish desired tasks.
Otherwise, if someone can see from the above what I'm doing wrong, I'd
certainly appreciate any advice, suggestions or other useful input.

Thanks again in advance ...

-- 
----------------------------------------------------------------------
Sylvain Robitaille                              syl at alcor.concordia.ca

Systems and Network analyst                       Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------



More information about the Freeradius-Users mailing list