noob with some questions

George C. Kaplan gckaplan at
Tue Aug 1 01:23:51 CEST 2006

On Jul 31, 2006, at 10:08 AM, P. K. wrote:

> Hi All,
> I've been setting up my College's first FreeRadius server and I've  
> been having a hard time wrapping my brain around the config with  
> the documentation that is available. If you'll bear with me here  
> through this super long post, I'll go into more depth.
> What I'm trying to do:
> I want to configure FreeRadius to Authorize a user against an LDAP  
> directory based on IF that user has the following values:
> edupersonprimaryaffiliation: STAFF
> OR
> edupersonprimaryaffiliation: Faculty
> If the user's values don't match either of these two condition,  
> they are rejected. If they match either, then they are  
> authenticated agains a kerberos server.

This is very similar to our situation:  you need to authorize based  
on some combination of a user's attributes that are found in LDAP,  
but that *aren't* present for comparison in the RADIUS request.  Our  
solution is to use rlm_perl for the comparison.

You already have part of the solution:  you've got LDAP retrieving  
the relevant LDAP data into locally-defined RADIUS attributes.  Now  
you just need to write a perl script to check the appropriate members  
of the %RAD_CHECK hash, and configure an Autz-Type that uses your  
LDAP module, followed by your rlm_perl module.

George C. Kaplan                            gckaplan at
Communication & Network Services            510-643-0496
University of California at Berkeley

More information about the Freeradius-Users mailing list