noob with some questions
George C. Kaplan
gckaplan at ack.berkeley.edu
Tue Aug 1 01:23:51 CEST 2006
On Jul 31, 2006, at 10:08 AM, P. K. wrote:
> Hi All,
>
> I've been setting up my College's first FreeRadius server and I've
> been having a hard time wrapping my brain around the config with
> the documentation that is available. If you'll bear with me here
> through this super long post, I'll go into more depth.
>
> What I'm trying to do:
> I want to configure FreeRadius to Authorize a user against an LDAP
> directory based on IF that user has the following values:
>
> edupersonprimaryaffiliation: STAFF
> AND
> psadminarea: BUSINESS - SMEAL COLLEGE
>
> OR
>
> edupersonprimaryaffiliation: Faculty
> AND
> psadminarea: BUSINESS - SMEAL COLLEGE
>
> If the user's values don't match either of these two condition,
> they are rejected. If they match either, then they are
> authenticated agains a kerberos server.
This is very similar to our situation: you need to authorize based
on some combination of a user's attributes that are found in LDAP,
but that *aren't* present for comparison in the RADIUS request. Our
solution is to use rlm_perl for the comparison.
You already have part of the solution: you've got LDAP retrieving
the relevant LDAP data into locally-defined RADIUS attributes. Now
you just need to write a perl script to check the appropriate members
of the %RAD_CHECK hash, and configure an Autz-Type that uses your
LDAP module, followed by your rlm_perl module.
--
George C. Kaplan gckaplan at ack.berkeley.edu
Communication & Network Services 510-643-0496
University of California at Berkeley
More information about the Freeradius-Users
mailing list