On 19/09/12 17:03, Stefano Zanmarchi wrote:
Hallo, I've configured freeradius to authenticate users with PEAP, using openldap to store NTLM hashes. It works fine. Now I'd like to authorize only people who have the ldap attribute "haDirittoEduroam" set to Y (or the other way round: not to authorize users with "haDirittoEduroam" set to N). Below an example openldap entry. Is there an easy way to achive this?
1. Edit "raddb/dictionary" to define a local attribute to store the data ATTRIBUTE Eduroam-Enabled 3010 string 2. Modify "ldap.attrmap" to copy your LDAP attribute into this local RADIUS attribute: replyItem Eduroam-Enabled haDirittoEduroam 3. Check the attribute like so in "sites-enabled/inner-tunnel": authorize { ... ldap if (reply:Eduroam-Enabled != "Y") { reject } ... } There are probably other ways to do it, including using an "xlat" to lookup the attribute i.e. variation of step 2, or modifying the ldap queries to only "see" those users.