Different reply items out of LDAP depending on the NAS

Peter Lambrechtsen plambrechtsen at gmail.com
Fri Aug 28 21:11:15 CEST 2009


On Fri, Aug 28, 2009 at 10:38 PM, Ivan Kalik <tnt at kalik.net> wrote:

> > I am trying to have a granular based reply items depending on the NAS
> they
> > connected to all driven using attributes in LDAP without needing to use
> > realms.
> >
> > IE User A passes just User&Password to NAS A. and gets reply attr
> > "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA"
> > attribute in LDAP
> > Same user logs into NAS B and gets back a "Service-Type=user" and the
> > value
> > user comes from an attribute "nasB".
> >
> > Looking through the ldap.attrmap it seems to be a static mapping for
> > Service-Type to be staticly set to a single value from LDAP, but what
> > happens if I want that value to be different depending on which NAS I
> have
> > connected from.
> >
> > Have searched around and havn't found any documents talking about how to
> > have this grainular level of configuration.
>
> Well, you have custom attributes in Ldap - translate them to custom
> attributes in radius (define them first in raddb/dictionary and map them
> in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)
>
> Then use unlang to set service type:
>
> if(NAS-IP-Address == NAS A IP) {
>     update reply {
>          Service-Type = "%{reply:nasA}"
>     }
> }
> elsif(NAS-IP-Address == NAS B IP) {
> ...


Another thought would be to have ldap group based authorize and attributes
being passed back.

IE the user has a"member" attributes specifying which services it has access
to and which attributes to be passed back,

This is the user in LDAP.

dn: cn=user,o=users
member: cn=admin,ou=nasA,o=radius
member: cn=user,ou=nasB,o=radius
member: cn=1,ou=nasC,o=radius
member: cn=15,ou=nasC,o=radius
member: cn=somethingelse,o=groups

Then I think I would specify in the clients the update reply  ie:

if(NAS-IP-Address == NAS A IP) {

update reply {
         Service-Type = "%{reply:nasA}"
    }
}



>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090829/e0903955/attachment.html>


More information about the Freeradius-Users mailing list