Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.h... I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in "auth" virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base <ou=people,dc=foo,dc=edu> with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Thanks, Schilling On Mon, Jan 24, 2011 at 4:38 PM, Alexander Clouter <alex@digriz.org.uk> wrote:
schilling <schilling2006@gmail.com> wrote:
I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth.
what's the config:local.MY.realm? My debug showed
Phil pretty much covered it (and in a neater manner I was not aware could be used, but it is obvious now seeing it...), I put all the 'local site' specific details into a single configuration file (including SQL/LDAP binding credentials) so that if I want to give someone a copy of my config, ll I have to really do is trim the 'local' file and know I have not leaked anything important.
For example, just after '$INCLUDE clients.conf' in the main radiusd.conf file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file is: ---- local.MY.hostname = iodine.it.soas.ac.uk local.MY.addr.v6 = 2001:630:1b:6004:168c:9d91:127f:bb0c local.MY.addr.v4 = 212.219.138.70
local.MY.realm = soas.ac.uk
local.addr.v6 = 2001:630:1b:1001:624a::15bb local.addr.v4 = 193.63.73.37
local.test.username = test-username local.test.password = [ahem]
local.ldap.server.1 = ldap1.soas.ac.uk local.ldap.server.2 = ldap2.soas.ac.uk local.ldap.username = cn=cheese,ou=is,o=tasty local.ldap.password = NOM
local.sql.server = sql.soas.ac.uk local.sql.username = radius-username local.sql.password = oh-so-very-secret
local.cert.password = omg-do-not-tell-anyones
[snipped]
$INCLUDE ${confdir}/LOCAL/templates.conf
$INCLUDE ${confdir}/LOCAL/policy.conf
$INCLUDE ${confdir}/LOCAL/proxy.conf
$INCLUDE ${confdir}/LOCAL/clients/ ----
Cheers
-- Alexander Clouter .sigmonster says: Riches cover a multitude of woes. -- Menander
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html