Users-file and LDAP backend mixing questions
Куприянов Максим
max2k1 at yandex.ru
Mon Jan 19 13:21:17 CET 2009
> Куприянов Максим wrote:
> > I'm using FreeRadius 2.1.3 with LDAP (eDirectory) and plain-text (users file) backends and I don't know how to solve a couple of problems :(
>
> How do you tell the users apart?
>
> > 1. Is possible to mix users with same names, but different passwords from LDAP and from users file? There are some old time users in my org, who don't belong to eDirectory tree and there are users in eDirectory with same names that should not be treated like old-time ones.
>
> Maybe.
>
I guess, I've found some kind of solution:
/etc/raddb/dictionary:
ATTRIBUTE Local-Skip-LDAP 3101 integer
ATTRIBUTE Local-LDAP-User 3102 integer
VALUE Local-Skip-LDAP true 1
VALUE Local-Skip-LDAP false 0
VALUE Local-LDAP-User true 1
VALUE Local-LDAP-User false 0
/etc/raddb/users:
old_user User-Password == "testing", Cleartext-Password := "testing"
Local-Skip-LDAP = true
/etc/raddb/sites-available/default:
authorize {
..
if (!reply:Local-Skip-LDAP) {
ldap
if (ok) {
update request {
Local-LDAP-User := true
}
}
}
..
}
The only problem i've got, that instead of using users file to specify default attributes for those none-LDAP user, I should use post-auth section of "default" site with (!request:Local-LDAP-User) and vice-versa condition.
So, many thanks to Alan for "man unlang" hint :)
But one problem still remain - i still don't understand how to check, that LDAP-user does not belong to any group. Any ideas?
---
Maxim
More information about the Freeradius-Users
mailing list