Authorization according to openLDAP group or attribute?
I have configured freeradius successfully to authenticate users using IEEE802.1x && openLDAP as a back-end DB. I have seen that we can add `ldap` to the authorize section like this: authorize { ... ldap ... } and we can forbid some users according to openLDAP attribute authorize { ... ldap if (reply:Eduroam-Enabled != "Y") { reject } ... } But what if we want to do authorization like this: We have multiple web servers: 192.168.1.5 192.168.1.6 192.168.1.7 And we want only some users to have access to `192.168.1.5` web server, how can we forbid other users to access this web server or restrict this web servers to some users according to openLDAP attribute or openLDAP group? Is there could be done using "authorize" section or "post-auth" section? (provide me with links please)
Mark jensen wrote:
And we want only some users to have access to `192.168.1.5` web server, how can we forbid other users to access this web server or restrict this web servers to some users according to openLDAP attribute or openLDAP group?
The first thing is to run the server in debugging mode. What makes the requests from that web server different from the requests from other web servers? Then, write policies to check for those differences, and reject users. This is usually something like: if ((web server 192.168.1.5) && (LDAP-Group != "allowed_for_192.168.1.5)) { reject } And no, you don't put that EXACT text into the "authorize" section. You've got to fill in the blanks.
Is there could be done using "authorize" section or "post-auth" section? (provide me with links please)
We don't provide documentation on how to solve your exact problem. There are 10 different questions a day, 365 days a year. Alan DeKok.
Mark jensen wrote:
And no, you don't put that EXACT text into the "authorize" section. You've got to fill in the blanks.
whatdo you mean you've got to fill in the blanks!!!
You've got to think for yourself. I already gave you more instructions in my previous message. Here's a hint: I'm not a magician. I don't know what your web server is sending to FreeRADIUS. Only YOU know that. I don't know what LDAP group you're using for restricted users. Only YOU know that. Think for yourself. I can't give you the exact solution. And to be honest, it's rude for you to ask. Especially since I already explained this in my last message. Alan DeKok.
participants (2)
-
Alan DeKok -
Mark jensen