Florian Prester wrote:
Now the big question: If I have an user who is authenticate, meaning correct username + password whereas the password is stored in LDAP. I want to replay attributes according th some other information stored in LDAP - how can I do such a thing, like: IF ldap-attribute::xy == valid_1 THEN RETURN ldap-attribute::IP-good, ELSIF dap-attribute::xy == valid_2 THEN RETURN ldap-attribute::IP-better, ELSE RETURN ldap-attribute::IP-bad
ok, lets assume a user can authenticate because he/she supplys a valid username/password e.g. using PAP. Now the user is authenticated. But I want to allow access to something not only if the user is authenticated, but also if a given attribute is present in the users ldap enty. How can I do that?
We faced a similar problem recently. The issue is that the rlm_ldap module is designed to work in the same way as the 'users' file: compare incoming "request" attributes to "check" attributes from LDAP, and authorize the user if they match. If you control the LDAP schema, then you can do what you want by simply adding the reply attributes to each user's LDAP profile. Users with 'xy == valid_1' get 'IP-good', users with 'xy == valid_2' get 'IP-better', and so on. If you *don't* control the LDAP schema (as in our case), you'll have to something else. We combined LDAP with rlm_perl, something like this: - Define site-local RADIUS attributes in the dictionary, and map them as check items to the LDAP attributes of interest in 'ldap.attrmap'. - Define an Autz-Type using both LDAP and rlm_perl, in 'radiusd.conf': authorize { ... Autz-Type our-autz { ldap { notfound = reject } perl { notfound = reject } } ... } - Configure rlm_perl to call a perl script to compare the retrieved LDAP attributes according to your policy and add the appropriate reply attributes. -- George C. Kaplan gckaplan@ack.berkeley.edu Communication & Network Services 510-643-0496 University of California at Berkeley