On Jul 31, 2006, at 10:08 AM, P. K. wrote:
Hi All,
I've been setting up my College's first FreeRadius server and I've been having a hard time wrapping my brain around the config with the documentation that is available. If you'll bear with me here through this super long post, I'll go into more depth.
What I'm trying to do: I want to configure FreeRadius to Authorize a user against an LDAP directory based on IF that user has the following values:
edupersonprimaryaffiliation: STAFF AND psadminarea: BUSINESS - SMEAL COLLEGE
OR
edupersonprimaryaffiliation: Faculty AND psadminarea: BUSINESS - SMEAL COLLEGE
If the user's values don't match either of these two condition, they are rejected. If they match either, then they are authenticated agains a kerberos server.
This is very similar to our situation: you need to authorize based on some combination of a user's attributes that are found in LDAP, but that *aren't* present for comparison in the RADIUS request. Our solution is to use rlm_perl for the comparison. You already have part of the solution: you've got LDAP retrieving the relevant LDAP data into locally-defined RADIUS attributes. Now you just need to write a perl script to check the appropriate members of the %RAD_CHECK hash, and configure an Autz-Type that uses your LDAP module, followed by your rlm_perl module. -- George C. Kaplan gckaplan@ack.berkeley.edu Communication & Network Services 510-643-0496 University of California at Berkeley