Ooo<br><br>I think I found the solution: in users-vlan i changed the lines for this<br><br> DEFAULT ldap1-Ldap-Group==Local<br> Tunnel-Type=VLAN,<br> Tunnel-Medium-Type=6,<br> Tunnel-Private-Group-Id=Local,
<br> Fall-Through = No<br><br> DEFAULT ldap1-Ldap-Group==Invitados<br> Tunnel-Type=VLAN,<br> Tunnel-Medium-Type=6,<br> Tunnel-Private-Group-Id=Invitado,<br> Fall-Through = No<br><br> DEFAULT ldap2-Ldap-Group==Local
<br> Tunnel-Type=VLAN,<br> Tunnel-Medium-Type=6,<br> Tunnel-Private-Group-Id=Local,<br> Fall-Through = No<br><br> DEFAULT ldap2-Ldap-Group==Invitados<br> Tunnel-Type=VLAN,<br> Tunnel-Medium-Type=6,
<br> Tunnel-Private-Group-Id=Invitado,<br> Fall-Through = No<br><br> DEFAULT ldap3-Ldap-Group==Local<br> Tunnel-Type=VLAN,<br> Tunnel-Medium-Type=6,<br> Tunnel-Private-Group-Id=Local,<br>
Fall-Through = No<br><br> DEFAULT ldap3-Ldap-Group==Invitados<br> Tunnel-Type=VLAN,<br> Tunnel-Medium-Type=6,<br> Tunnel-Private-Group-Id=Invitado,<br> Fall-Through = No<br><br>And it doesn't do unnecessary searches and when it has to, it searches correctly.
<br>This works but, is it the better way to do it?<br><br><div><span class="gmail_quote">2006/6/7, wekz <<a href="mailto:fbl.list@gmail.com">fbl.list@gmail.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Thanks very much Phil. That works, I think it doesn't work in the hints file for the reasons you told me.<br><br>Now I've got a new problem. I use the radiusGroupName for making the users belong to VLAN1, VLAN2 or VLAN3. So I enable
<br> <br> groupmembership_attribute = radiusGroupName<br><br>but I left groupname_attribute and groupmembership_filter commented ( in each ldap module ).<br><br>In other file called users-vlan I defined this:
<br>
<br> DEFAULT Ldap-Group == Local<br> stuff for assigning VLAN1<br> .....<br>The file that determine the users procedence is users-procedence:<br><br> DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type=customer1
<br> .....<br><br>The file that proxies ( users-proxy ):<br> DEFAULT proxy-to-realm:=CENTRAL<br><br>The authorization section:<br>....<br>users-procedence</div><div><span class="q"><br>autztype customer1{<br> redundant {
<br> group {
<br> ldap1 {
<br> notfound = return<br></span></div><div><div> fail = return<br> }<br> users-vlan
</div><div><span class="q"><br> mschap
<br> eap<br> notfound = 1<br> fail = 1<br> }<br></span></div><div> users-proxy<br>
}
<br> }
</div>.....<br><br><br>The situation is: a user that must be authorized against ldap2 make a match in the users-procedence file and get customer2 autztype. So the user is looked for in ldap2. <br> <br> 1.- If it fails in the logs I could see radius looking for ldap_groupcmp() in ldap3 when all I think it must do is proxy.
<br> 2.- In case the user is found it make a search too for ldap group in ldap3.<br><br>I think in the first case there are two problems: it searches when it doesn't have to ( unnecessary search ), and it searches bad because it does in the last ldap instantiated ( that is ldap3 )
<br><br>In the second case the problem is that it searches in the last ldap instantiated.<br><br>(( This configuration works fine when all you have is one ldap ))<br><br>Is that a bug ?? I found a similar bug in bug-list but it belongs to version
1.0.1 ( bug #163, about unnecessary searches ) and I think a read a bug about searching in the last ldap instantiated ( but I think this has to be with older versions and I can't find it )<br><div><span class="gmail_quote">
<br>I solved this problem yesterday but I don't know how to say... I solved it in a dirty-way ( I hope you understand ). So if you or anyone have an idea ...<br><br><br><br><br><br>2006/6/5, Phil Mayers <<a href="mailto:p.mayers@imperial.ac.uk" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
p.mayers@imperial.ac.uk</a>>:</span></div><div><span class="e" id="q_10bad6997d61ebcc_5"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
wekz wrote:<br>><br>> I don't know if I have explain it correctly, if I haven't just tell me (
<br>> I'm not an english speaker )<br><br>Your english is great.<br><br>> My hints file:<br><br>Nearly there. Try:<br><br>DEFAULT NAS-IP-Address == 192.168.xx.yy, Autz-Type := LDAPx<br><br>I'm not sure that'll work in a hints file - so you may need to use a
<br>"users" file - hints puts items into the request pairs, Autz-Type needs<br>to go into the configure pairs.<br><br>Try this:<br><br>modules {<br> # other stuff<br> files filesFirst {<br> usersfile = ${confdir}/usersFirst
<br> }<br>}<br><br>authorize {<br> preprocess<br> filesFirst<br> Autz-Type LDAP1 {<br> # stuff here<br> ldap1<br> }<br> # other LDAP modules<br>}<br><br>And in ${confdir}/usersFirst:<br><br>DEFAULT NAS-IP-Address ==
192.168.51.xx, Autz-Type := LDAP1<br><br>DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type := LDAP2<br><br>...and so on.<br><br>The other slightly simpler way might be to use a "passwd" (badly named)<br>module,
e.g.:<br><br>modules {<br> passwd nas2autz {<br> filename = ${confdir}/nas2autz<br> format = "*NAS-IP-Address:Autz-Type"<br> # set to 0 to read file on every request - slow<br> # but instant-updates
<br> hashsize = 100<br> }<br>}<br><br>authorize {<br> preprocess<br> nas2autz<br> Autz-Type LDAP1 {<br> ldap1<br> }<br> # other Autz<br>}<br><br>...and in ${confdir}/nas2autz<br><br>192.168.51.xx:LDAP1
<br>192.168.51.yy:LDAP2<br><br>Hope that helps<br>Phil<br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.freeradius.org/list/users.html</a><br></blockquote></span></div><div></div><br>
</div></blockquote></div><br>