<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18241"></HEAD>
<BODY>
<DIV><FONT size=2 face=Arial><SPAN class=234091119-14112008>We seek to take
advantage of FreeRadius 2.0.5's ability to run multiple virtual
servers.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN class=234091119-14112008>All our other
servers are working except one, which has a complex
authentication.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=234091119-14112008>As a stand-alone
configuration this looks as follows:</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>################################################################<BR>##
MODULES
CONFIGURATION
##<BR>################################################################</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=234091119-14112008>modules
{<BR> ldap
dirnet{<BR>
server =
"directory.sub.main.com"<BR>
port =
389<BR>
identity =
"cn=acsAgent,ou=agents,ou=network,dc=main,dc=com"<BR>
password = xxxxxx</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
basedn =
"ou=network,dc=main,dc=com"<BR>
filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
groupmembership_filter =
"(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Name:-%{User-Name}}*))<BR>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
}</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008> ldap
dirnode{<BR>
server =
"directory.main.com"<BR>
port =
389<BR>
identity = "cn=wireless-agent,ou=agents,ou=Academic
Computing,ou=units,dc=main,dc=com"<BR>
password
= yyyyyyyyyyy<BR>
basedn =
"dc=main,dc=com"<BR>
filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"<BR>
groupmembership_filter =
"(&(objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-User-Name:-%{User-Name}}*))<BR>
groupmembership_attribute =
eduPersonEntitlement<BR>
groupname_attribute =
eduPersonEntitlement<BR>
access_attr = uid</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
}</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=234091119-14112008>server
{<BR>authenticate {<BR> ## Use LDAP
Authentication<BR> Auth-Type DIRNODE
{<BR>
dirnode<BR>
}<BR> Auth-Type DIRNET
{<BR>
dirnet<BR> }</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>}</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=234091119-14112008>authorize
{<BR> ## Use LDAP Authorization via
files config in 'users'<BR>
files<BR>}</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=234091119-14112008>And the users file
looks like</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV><SPAN
class=234091119-14112008>
<DIV><BR><FONT size=2 face=Arial>DEFAULT dirnet-Ldap-Group ==
"cn=AuthorizedGuestVendor<SPAN
class=234091119-14112008>MAIN</SPAN>AnywhereUsers,ou=IT,ou=groups,ou=network,dc=<SPAN
class=234091119-14112008>main</SPAN>,dc=<SPAN
class=234091119-14112008>com</SPAN>", Auth-Type :=
DIRNET<BR> Class =
"%{dirnet:ldap:///ou=authaccounts,ou=network,dc=<SPAN
class=234091119-14112008>main</SPAN>,dc=<SPAN
class=234091119-14112008>com</SPAN>?eduPersonEntitlement?sub?uid=%{User-Name}",
<BR> Fall-Through = no</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>DEFAULT dirnet-Ldap-Group ==
"cn=VPNPHONES,ou=IT,ou=groups,ou=network,dc=<SPAN
class=234091119-14112008>main</SPAN>,dc=<SPAN
class=234091119-14112008>com</SPAN>", Auth-Type :=
DIRNET<BR> Class = "urn:mace:<SPAN
class=234091119-14112008>main.com</SPAN>:RINGS:group:<SPAN
class=234091119-14112008>main</SPAN>_anywhere:vpnphone",<BR>
Fall-Through = no</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>DEFAULT User-Profile :=
"uid=%{Stripped-User-Name:-%{User-Name}},ou=authaccounts,dc=<SPAN
class=234091119-14112008>main</SPAN>,dc=<SPAN
class=234091119-14112008>com</SPAN>", Auth-Type :=
DIRNODE<BR> Class =
"%{dirnode:ldap:///ou=authaccounts,dc=<SPAN
class=234091119-14112008>main</SPAN>,dc=<SPAN
class=234091119-14112008>com</SPAN>?eduPersonEntitlement?sub?uid=%{User-Name}",<BR>
Fall-Through = no</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>DEFAULT Auth-Type :=
REJECT<BR> Reply-Message = "User Login
Rejected"</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2
face=Arial>--------------------------</FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>I've gotten as far
as:</FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>modules {<BR>## LDAP
Server configuration<BR>ldap
{<BR>}<BR> ## LDAP User-to-Group
mapping<BR> files
{<BR>
usersfile =
${confdir}/guest_vendor_mainanywhere_users<BR>
acctusersfile =
/dev/null<BR>
preproxy_usersfile =
/dev/null<BR>
compat = no<BR>
}<BR>}</FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>authenticate
{<BR> ## Use LDAP Authentication
(entry in modules/ldap)<BR> Auth-Type
LDAP
{<BR>
dirnode<BR>
}<BR> Auth-Type LDAP
{<BR>
dirnet<BR> }<BR>}</FONT></SPAN></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>authorize
{<BR> ## Use LDAP Authorization via
files config in 'users' (entry in
modules/<BR>ldap)<BR>
dirnode<BR>
dirnet<BR>}</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>and the ldap file
entries as</FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>ldap dirnet
{<BR>
#<BR> # Note that this needs to
match the name in the LDAP<BR> #
server certificate, if you're using
ldaps.<BR>
server =
"directory.sub.main.com"<BR>
port =
389<BR>
identity =
"cn=acsAgent,ou=agents,ou=network,dc=main,dc=com"<BR>
password = xxxxxx
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
basedn =
"ou=network,dc=main,dc=com"<BR>
filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
groupmembership_filter =
"(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Name:-%{User-Name}}*))<BR>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
}</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN class=234091119-14112008>ldap
dirnode{</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008></SPAN></FONT> </DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
server =
"directory.main.com"<BR>
port =
389<BR>
identity = "cn=wireless-agent,ou=agents,ou=Academic
Computing,ou=units,dc=main,dc=com"<BR>
password
= yyyyyyyyyyy<BR>
basedn =
"dc=main,dc=com"<BR>
filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"<BR>
groupmembership_filter =
"(&(objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-User-Name:-%{User-Name}}*))<BR>
groupmembership_attribute =
eduPersonEntitlement<BR>
groupname_attribute =
eduPersonEntitlement<BR>
access_attr = uid
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>.</SPAN></FONT></DIV>
<DIV><FONT size=2 face=Arial><SPAN
class=234091119-14112008>
}</SPAN></FONT></DIV></SPAN></FONT></DIV></FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>with the users file
intact</FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>Any suggestions as
to how to configure, especially the "authorize" section to allow trying both
dirnode and dirnet would be welcome.</FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>(As it is now,
dirnode auth works, but dirnet doesn't.)</FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=234091119-14112008><FONT size=2 face=Arial>Thank
you!</FONT></SPAN></DIV>
<DIV><SPAN class=234091119-14112008></SPAN></SPAN> </DIV></BODY></HTML>