Re: Authentication type (ldap, users, etc) per client or user?

Alan DeKok <aland@deployingradius.com> · Fri, 04 Jan 2008 10:50:30 +0100

falz wrote:
> This would technically get things working, but poses a security issue.
> I want to have clients associated with backends. The above example
> appears that it will simply give priority of one authentication source
> over the other, which isn't what I'm trying to do.

  You can use Autz-Type to get what you want, but it's more complicated.

> I'll look into 2.0 if this is the only way to get this functionality.

  It's not the only way, but it's *much* easier in 2.0.  You just put an
entry in the "client" configuration saying "virtual_server = foo", and
all requests get processed through "foo".

> No, I did not remove the files section. It is called, and loaded per
> my output in the previous email.

  It's not listed in the debug output you posted.  So it's not being called.

> Looking through the docs, it appears that Autz-Type gives indications
> of what I am trying to do:
> 
> http://www.freeradius.org/radiusd/doc/Autz-Type

  Yes.  It may require running two copies of the "files" module, which
is more complicated.

> I will experiment with it and some syntax, and chime back in when I
> get things working for future reference for other users (and for me,
> if I neglect to document it myself :)

  In 2.0:

client a {
	ipaddr = 1.2.3.4
	...
	virtual_server = foo
}

client b {
	ipaddr = 5.6.7.8
	...
	virtual_server = bar
}

server foo {
	authorize {
		users
		...
	}
	...
}

server bar {
	authorize {
		ldap
		...
	}
	...
}

  It's more typing to set up, but it's significantly easier to
understand and to maintain.  It means that there are fewer possibilities
for something to go wrong, too.

  Alan DeKok.