Pietro Accerboni wrote:
Thanks a lot for the quick answer, it works!
Yes. It's really that easy. The hard part is usually figuring out how to phrase the policies correctly. If the policies are phrased incorrectly, it's *impossible* to get the server to do what you want... because the policies aren't doing what you want.
So the ldap filters i wrote are ok, the problem was on the users file. I have 2 more questions: ... I want to pick out the gid from the group 'staff', whatever this numer is, and check this number in the users file. May I write something like gid=%{ldap:ldap://dc=mydomain,dc=it?gidNumber?sub?(&(posixGroup)(cn=staff))}, and then use this var in the test Ldap-Group!=<gid> in users file?
Unfortunately, no. This should be easier in 2.0.
2) Maybe a stupid question. I found very difficult to have a clear understanding of how to configure freeradius, from the documentation that comes with the rpm/deb package and the one i found on freeradius.org. Also i look for a book, but the only one i found is 'Radius' from O'Reilly, that is old and far far far away from a 'good book'.
Well, yes.
Is there some paper, some book, some doc that explain clearly the freeradius world? From a general point of view (Radius Protocol,
I've got a bit over 200 pages done on my book, but other issues keep coming up, and preventing me from doing much more.
Difference in Authorization and Authentication section, etc..) to the details (how freeradius use the request attrs/config attrs/reply attrs, the gory details of the single module configuration switch - see my mistake with 'compare_check_items=yes' in ldap, etc.)?
Generally, any module configuration is the least of your worries. The most effort is spent writing the correct policies. Alan DeKok.