Ok, I've did this, but the group testing is not working. server twofactor { authorize { preprocess auth_log suffix pap perl if (User-Password =~ /^(.+?)([0-9]{6})$/) { update request { User-Password := "%{1}" One-Time-Password := "%{2}" } } update control { Auth-Type := TwoFactor } if (ldap_group-LDAP-Group != "somegroup") { reject } } authenticate { Auth-Type TwoFactor { perl ldap_group } perl ldap_group } ... } Output: rlm_ldap::ldap_groupcmp: User found in group somegroup ldap_msgfree [ldap_group] ldap_release_conn: Release Id: 0 ? Evaluating (ldap_group-LDAP-Group != "somegroup") -> TRUE ++? if (ldap_group-LDAP-Group != "somegroup") -> TRUE ++- entering if (ldap_group-LDAP-Group != "somegroup") {...} +++[reject] returns reject ++- if (ldap_group-LDAP-Group != "r7arq") returns reject } # server hotp Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/hotp +- entering group REJECT {...} On Fri, May 13, 2011 at 10:53 AM, Herbert Fischer <herbert.fischer@gmail.com
wrote:
Thanks Alan!
And how do I tell Freeradius that only some LDAP groups can authenticate against a client? I read the docs but did not understood the connection between the users file and the virtual server conf.
best regards
On Fri, May 13, 2011 at 2:28 AM, Alan DeKok <aland@deployingradius.com>wrote:
Herbert Fischer wrote:
I would like to setup LDAP module with different settings for different clients.
How can I do this?
Either set up a different virtual server for each client, OR use "unlang" to check "if client X, use ldap X"
Can I setup multiple LDAP module settings and specify which one I would like to use for a site or client?
Yes, but you need to edit the "authorize" section to replace:
ldap with
if (client 1 ..) { ldap1 } elsif (client 2...) { ldap2 } ...
Can I define some of the LDAP settings inside the site or client config?
No.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html