using different LDAP queries to authorize for different services
Chris
cjl at viptalk.net
Thu Apr 3 06:04:11 CEST 2008
On Apr 2, 2008, at 5:52 PM, Alan DeKok wrote:
> Sylvain Robitaille wrote:
>
>> What I'm aiming to accomplish, however, is that the FreeRADIUS server
>> will authorize users for different services based on a slightly
>> different LDAP query. The users are in various groups, which can be
>> checked by supplying an LDAP query filter that checks the "memberOf"
>> attribute; Users in group "wireless" should be permitted to use the
>> wireless service; users in group "vpn" should be able to use the VPN
>> service; users in both groups could use either, and users in neither
>> group should be refused for either, etc.
>
> You should be able to do this with multiple LDAP modules, or maybe by
> dynamically editing the ldap query.
>
>> ... Running radiusd in debug mode shows that the
>> ldap module is using the configuration for its un-named instance (the
>> default one from the stock config files, with minimal configuration
>> to
>> permit it to lookup users in our LDAP).
>
> You have to change the reference to "ldap" in sites-available/
> default.
> to the instance name. e.g. "ldap_wireless".
>
I'm looking to do something similar.
What is the proper way to call a specific LDAP module based on NAS-IP-
Address (or huntgroup, probably)?
I don't want anything other than files (for overriding LDAP for
testing) then LDAP.
Obviously, I want to stay as close to the default config as
possible. :)
More information about the Freeradius-Users
mailing list