Ok, I've did this, but the group testing is not working. <div><br></div><div><div>server twofactor {</div><div><br></div><div> authorize {</div><div> preprocess</div><div> auth_log</div><div> suffix</div>
<div> pap</div><div> perl</div><div><br></div><div> if (User-Password =~ /^(.+?)([0-9]{6})$/) {</div><div> update request {</div><div> User-Password := "%{1}"</div>
<div> One-Time-Password := "%{2}"</div><div> }</div><div> }</div><div><br></div><div> update control {</div><div> Auth-Type := TwoFactor</div><div> }</div>
<div><br></div><div> if (ldap_group-LDAP-Group != "somegroup") {</div><div> reject</div><div> }</div><div> }</div><div><br></div><div> authenticate {</div><div> Auth-Type TwoFactor {</div>
<div> perl</div><div> ldap_group</div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div> }</div><div><br></div><div> perl</div><div> ldap_group</div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>
}</div><div><br></div><div>...</div><div><br></div><div>}</div><div><br></div><div><br></div><div>Output:</div><div><br></div><div><div>rlm_ldap::ldap_groupcmp: User found in group somegroup</div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div>
ldap_msgfree</div><div> [ldap_group] ldap_release_conn: Release Id: 0</div><div>? Evaluating (<meta http-equiv="content-type" content="text/html; charset=utf-8">ldap_group-LDAP-Group != "<meta http-equiv="content-type" content="text/html; charset=utf-8">somegroup") -> TRUE</div>
<div>++? if (<meta http-equiv="content-type" content="text/html; charset=utf-8">ldap_group-LDAP-Group != "<meta http-equiv="content-type" content="text/html; charset=utf-8">somegroup") -> TRUE</div><div>++- entering if (<meta http-equiv="content-type" content="text/html; charset=utf-8">ldap_group-LDAP-Group != "<meta http-equiv="content-type" content="text/html; charset=utf-8">somegroup") {...}</div>
<div>+++[reject] returns reject</div><div>++- if (<meta http-equiv="content-type" content="text/html; charset=utf-8">ldap_group-LDAP-Group != "r7arq") returns reject</div><div>} # server hotp</div><div>Using Post-Auth-Type Reject</div>
<div># Executing group from file /etc/freeradius/sites-enabled/hotp</div><div>+- entering group REJECT {...}</div></div><div><br></div><div><br></div><br><div class="gmail_quote">On Fri, May 13, 2011 at 10:53 AM, Herbert Fischer <span dir="ltr"><<a href="mailto:herbert.fischer@gmail.com">herbert.fischer@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Thanks Alan!<div><br></div><div>And how do I tell Freeradius that only some LDAP groups can authenticate against a client? </div>
<div>I read the docs but did not understood the connection between the users file and the virtual server conf.</div>
<div><br></div><div>best regards</div><div><div></div><div class="h5"><div><br><div class="gmail_quote">On Fri, May 13, 2011 at 2:28 AM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Herbert Fischer wrote:<br>
> I would like to setup LDAP module with different settings for different<br>
> clients.<br>
><br>
> How can I do this?<br>
<br>
</div> Either set up a different virtual server for each client, OR use<br>
"unlang" to check "if client X, use ldap X"<br>
<div><br>
> Can I setup multiple LDAP module settings and specify which one I would<br>
> like to use for a site or client?<br>
<br>
</div> Yes, but you need to edit the "authorize" section to replace:<br>
<br>
ldap<br>
with<br>
<br>
if (client 1 ..) {<br>
ldap1<br>
}<br>
elsif (client 2...) {<br>
ldap2<br>
}<br>
...<br>
<div><br>
> Can I define some of the LDAP settings inside the site or client config?<br>
<br>
</div> No.<br>
<font color="#888888"><br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</font></blockquote></div><br></div>
</div></div></blockquote></div><br></div>