using different LDAP queries to authorize for different services

[Alan DeKok]

Sylvain Robitaille wrote:
> 
> I'm back.  Small reminder, since it appears that list members are
> helping a sufficient number of folks that remembering my particular
> setup would be non-trivial:

  I have trouble remembering messages from 10 minutes ago.  It's easier
that way.

...
>   - My configuration files are nearly "stock", with the exception of the
>     necessary configuration to get the ldap module talking to the LDAP
>     server.
>   - This setup has been running like this now for a couple of days
>     without any trouble.

  And yes, it really is that easy.  (That's mostly for the people who
think it's hard... because they butcher the default configs.)

> What I'm aiming to accomplish, however, is that the FreeRADIUS server
> will authorize users for different services based on a slightly
> different LDAP query.  The users are in various groups, which can be
> checked by supplying an LDAP query filter that checks the "memberOf"
> attribute;  Users in group "wireless" should be permitted to use the
> wireless service; users in group "vpn" should be able to use the VPN
> service; users in both groups could use either, and users in neither
> group should be refused for either, etc.

  You should be able to do this with multiple LDAP modules, or maybe by
dynamically editing the ldap query.

>...  Running radiusd in debug mode shows that the
> ldap module is using the configuration for its un-named instance (the
> default one from the stock config files, with minimal configuration to
> permit it to lookup users in our LDAP).

  You have to change the reference to "ldap" in sites-available/default.
to the instance name.  e.g. "ldap_wireless".

> I can tell the difference in which LDAP module configuration stanza is
> used by the query filter shown in the debug output.

  Thankfully.  Isn't debug output nice?  More people should use it...

  Alan DeKok.