using different LDAP queries to authorize for different services
Alan DeKok
aland at deployingradius.com
Thu Apr 3 07:57:10 CEST 2008
Sylvain Robitaille wrote:
>> And yes, it really is that easy. ...
>
> And quite frankly, darned amazing! All (?!? nearly all?) the third-party
> documentation out there makes it *seem* difficult.
2 reasons: (1) that "documentation" is usually written be people who
don't understand how the server works, and (2) if they admitted it was
that easy, their "howto" pages would be 4 lines long.
>> You have to change the reference to "ldap" in sites-available/default.
>> to the instance name. e.g. "ldap_wireless".
>
> In the "authorize" stanza, then? So I replace
Yes. You replace "ldap" with "ldap_authorize".
> Can I then add an "ldap_vpn" as well, in the same place?
Depending on what you want, perhaps.
> Is this where I should be using
>
> Autz-Type wireless {
In 2.0, you don't really need Autz-Type. I would suggest pretending
that it doesn't exist. Instead, use "unlang".
> I'm placing the ldap module-instance configuration in radiusd.conf,
> and setting Autz-Type in users. Are these the "correct" places for
> those items?
radiusd.conf configures everything in the server. The "users" file
has a much more limited scope.
> Is there specific documentation I should be re-reading to properly
> understand this? I feel as though I "sort-of" understand the sequence,
> from examining debug output, but I don't feel I really know (yet) how to
> make the server do my bidding.
doc/aaa.txt.
The sections are processed top to bottom, as a linear list. If you
want to make the server do your bidding, write "if/else" statements
using "unlang".
i.e. write the conditions you want to match in plain english, and what
you want it to do. Then, translate that pretty much directly into "unlang".
Alan DeKok.
More information about the Freeradius-Users
mailing list