Multiple LDAPS

Sébastien Cantos scantos at technodiva.com
Tue Sep 20 16:22:05 CEST 2005


Ok, very good. I'm gonna try this.
Thanks a lot.

Regards,
--
Sebastien Cantos <scantos at technodiva.com>
Network / System Manager
Neopost DIVA 

> -----Message d'origine-----
> De : freeradius-users-bounces at lists.freeradius.org 
> [mailto:freeradius-users-bounces at lists.freeradius.org] De la 
> part de Dusty Doris
> Envoyé : mardi 20 septembre 2005 16:12
> À : FreeRadius users mailing list
> Objet : Re: Multiple LDAPS 
> 
> 
> > Hi,
> >
> > I was wondering if there's a way to look for users in 
> differents LDAP trees
> > and/or servers depending of the suffix (@something) in the 
> login. If it's
> > possible could someone show me the config ?
> > Thanks in advance.
> >
> 
> 
> Sure.  First you need to define two ldap configs in radiusd.conf. 
> Instead of just having ldap {, you define ldap and then a 
> name for each 
> instance and include all the config entries under it.
> 
> ldap ldap1 {
>    server
>    basedn
>    ...
> }
> 
> ldap ldap2 {
>    ...
> }
> 
> Then in the authorize section you do this.
> 
> authorize {
>    Autz-Type ldap1 {
>  	ldap1
>    }
>    Autz-Type ldap2 {
>  	ldap2
>    }
> }
> 
> Then in authenticate, you do
> 
> authenticate {
>    Auth-Type ldap1 {
>  	ldap1
>    }
>    Auth-Type ldap2 {
>  	ldap2
>    }
> }
> 
> Now, in the users file you can specify which to use based on 
> the realm. 
> Make sure you enable the suffix module to use suffix for realms.
> 
> 
> DEFAULT Realm == "somerealm.com", Autz-Type := ldap1, 
> Auth-Type := ldap1
> 
> DEFAULT Realm == "otherrealm.com", Autz-Type := ldap2, 
> Auth-Type := ldap2
> 
> DEFAULT Auth-Type := Reject
> 
> The users file is parsed top to bottom.  In this instance say 
> a username 
> comes over as user at somerealm.com.  It will match on the first 
> line and 
> will then use your settings in ldap1 for authorization and 
> authentication. 
> By default you will not fall-through to any other rules.
> 
> A user comes in with user at otherrealm.com, it will not match 
> the first and 
> will fall through to the second line.  There it will match 
> and use ldap2.
> 
> A user comes in with user at notarealrealm.com, it will not 
> match the first 
> two and hit the last rule, which will reject the user.  Of course you 
> could do something else at this point and maybe make it hit a 
> different 
> type of authentication for other realms if you'd like.
> 
> You can read more in doc/Autz-Type.
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 





More information about the Freeradius-Users mailing list