ldap module for user and mac authentication
Dave Macias
davama at gmail.com
Tue Aug 7 22:04:10 CEST 2018
Thank you for the reply Alan!
> You can do any kind of LDAP query in FreeRADIUS. Why not just do the
> same %{ldap:...} checks there?
>
Yes, I had thought of something to the effect of (suggestions welcomed) :
* if
(!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?cn?sub?(*
*&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}") {*
* if
(!"%{ldap:ldap://master2/ou=%{client:shortname},ou=macs,dc=myorg,dc=net?c*
*n?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{*
* reject*
* }*
* }*
* update {*
* control:Auth-Type := Accept*
* }*
But this does not account for the scenario of openldap being dead.
The 1st "if" statement will be always be FALSE and never attempt the next
"if" statement and therefore 'Accept'
We currently use do_not_respond in conjunction with the ldap module so that
radius never response if openldap it were down
http://lists.freeradius.org/pipermail/freeradius-users/2018-May/091477.html
The nice feature of the module is that you can configure multiple ldap
servers. If one fails then it will automatically try the next and so forth.
*mods-enabled/ldap*
*ldap {*
*server = host1 # <- this one is dead*
*server = host2 # <- this one is alive so use this one in the query*
*...*
*}*
Unless there is a way to query the "live" ldap server which the ldap module
found %{ldap:ldap://%{live.ldap.server}/...} , if that makes sense
Thanks!
More information about the Freeradius-Users
mailing list