ldap: multiple radius profiles

Hachmer, Tobias Tobias.Hachmer at stadt-frankfurt.de
Mon Sep 2 13:57:42 CEST 2013 

Dear listmembers,

I have following setup:


-       Centos 6.4

-       freeradius version: radiusd: FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct  3 2012 at 01:22:51

-       authorization & authentication in ldap (openldap)

What I am trying to achieve is:

-       manage radius profiles completely in ldap with replyItems

-       return reply Items of multiple profiles to a user if he belongs to multiple profiles

Example RADIUS Profiles:

dn: uid=aosReadWrite,ou=profiles,ou=radius,dc=example,dc=com
cn: AOS Read-Write
objectClass: radiusObjectProfile
objectClass: radiusProfile
uid: aosReadWrite
radiusReplyItem: Alcatel-Access-Priv += "Alcatel-Read-Priv"
radiusReplyItem: Alcatel-Access-Priv += "Alcatel-Write-Priv"
radiusReplyItem: Alcatel-Access-Priv += "Alcatel-Admin-Priv"
radiusReplyItem: Alcatel-Acce-Priv-F-W1 = 0xffffffff
radiusReplyItem: Alcatel-Acce-Priv-F-W2 = 0xffffffff

dn: uid=sosReadWrite,ou=profiles,ou=radius, dc=example,dc=com
cn: screenOS Read-Write
objectClass: radiusObjectProfile
objectClass: radiusProfile
uid: sosReadWrite
radiusReplyItem: NS-Admin-Privilege = "Root-Admin"

Example RADIUS User:

dn: uid=hachmer,ou=users,ou=radius,dc=example,dc=com
cn: Tobias Hachmer
givenName: Tobias
mail: tobias.hachmer at stadt-frankfurt.de
radiusServiceType: Administrative-User
sn: Hachmer
uid: hachmer
objectClass: top
objectClass: inetOrgPerson
objectClass: radiusProfile
userPassword:: ...
radiusGroupName: aosReadWrite
radiusGroupName: sosReadWrite

I don't know how to configure FreeRADIUS to read the "radiusGroupName" attribute and attach the configured return Items to the return list.

Using unlang I am able to do this:
                if(Ldap-Group == "cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com") {
                        update reply {
                                Alcatel-Access-Priv = Alcatel-Read-Priv
                                Alcatel-Access-Priv += Alcatel-Write-Priv
                                Alcatel-Access-Priv += Alcatel-Admin-Priv
                                Alcatel-Acce-Priv-F-W1 := 0xffffffff
                                Alcatel-Acce-Priv-F-W2 := 0xffffffff
                                Alcatel-Asa-Access := All
                        }
                }
                if(Ldap-Group == "cn=sosReadWrite,ou=groups,ou=radius, dc=example,dc=com ") {
                        update reply {
                                NS-Admin-Privilege := Root-Admin
                        }
                }

This is working fine but has the disadvantage that I have to configure the return items static into freeradius configuration files.
I want to manage these profiles also in ldap. Is this possible?

Kind regards,
Tobias Hachmer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130902/a059a7d6/attachment.html>

More information about the Freeradius-Users mailing list