<div class="gmail_quote">On Fri, Aug 28, 2009 at 10:38 PM, Ivan Kalik <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div class="h5">> I am trying to have a granular based reply items depending on the NAS they<br>
> connected to all driven using attributes in LDAP without needing to use<br>
> realms.<br>
><br>
> IE User A passes just User&Password to NAS A. and gets reply attr<br>
> "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA"<br>
> attribute in LDAP<br>
> Same user logs into NAS B and gets back a "Service-Type=user" and the<br>
> value<br>
> user comes from an attribute "nasB".<br>
><br>
> Looking through the ldap.attrmap it seems to be a static mapping for<br>
> Service-Type to be staticly set to a single value from LDAP, but what<br>
> happens if I want that value to be different depending on which NAS I have<br>
> connected from.<br>
><br>
> Have searched around and havn't found any documents talking about how to<br>
> have this grainular level of configuration.<br>
<br>
</div></div>Well, you have custom attributes in Ldap - translate them to custom<br>
attributes in radius (define them first in raddb/dictionary and map them<br>
in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)<br>
<br>
Then use unlang to set service type:<br>
<br>
if(NAS-IP-Address == NAS A IP) {<br>
update reply {<br>
Service-Type = "%{reply:nasA}"<br>
}<br>
}<br>
elsif(NAS-IP-Address == NAS B IP) {<br>
...</blockquote><div><br>Another thought would be to have ldap group based authorize and attributes being passed back.<br><br>IE the user has a"member" attributes specifying which services it has access to and which attributes to be passed back, <br>
<br>This is the user in LDAP.<br><br>dn: cn=user,o=users<br>member: cn=admin,ou=nasA,o=radius<br>member: cn=user,ou=nasB,o=radius<br>
member: cn=1,ou=nasC,o=radius<br>
member: cn=15,ou=nasC,o=radius<br>
member: cn=somethingelse,o=groups<br>
<br>Then I think I would specify in the clients the update reply ie:<br><br>if(NAS-IP-Address == NAS A IP) {<br>
<br>update reply {<br>
Service-Type = "%{reply:nasA}"<br>
}<br>
}<br>
<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br>