More documentation on Auth-Type
Phil Mayers
p.mayers at imperial.ac.uk
Tue Aug 8 12:28:14 CEST 2006
Rohaizam Abu Bakar wrote:
> any docs to help on my problem... ? in doc/rlm_ldap, there is section
> about LDAP XLAT.. Is it the one ?
As far as I know, you should be able to do something like:
modules {
files {
usersfile = users
}
files wireless_files {
usersfile = wireless_users
}
files vpn_files {
usersfile = vpn_users
}
ldap {
basedn = "%{reply:Tmp-String-1}"
...
}
}
authorize {
files
Autz-Type WIRELESS {
wireless_files
ldap
}
Autz-Type VPN {
vpn_files
ldap
}
}
users:
DEFAULT Huntgroup-Name == "whatever", Autz-Type := WIRELESS
DEFAULT Huntgroup-Name == "something", Autz-Type := VPN
users_vpn:
DEFAULT
Tmp-String-1 = "ou=vpnusers,dc=mydomain,dc=org"
users_wireless:
DEFAULT
Tmp-String-1 = "ou=wireless,dc=anotherdomain,dc=com"
You may need to add Tmp-String-1 to a local dictionary if you're running
an older server, e.g. in "dictionary"
ATTRIBUTE Tmp-String-1 3000 string
Alternatively, 1.1.0 and up can do this I think?
modules {
ldap wireless_ldap {
basedn = "ou=wireless,dc=domain,dc=com"
set_auth_type = yes
}
ldap vpn_ldap {
basedn = "ou=vpn,dc=example,dc=org"
set_auth_type = yes
}
files {
...
}
}
authorize {
preprocess
files
Autz-Type WIRELESS {
wireless_ldap
}
Autz-Type VPN {
vpn_ldap
}
}
authenticate {
Auth-Type wireless_ldap {
wireless_ldap
}
Auth-Type vpn_ldap {
vpn_ldap
}
}
and in users:
DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN
DEFAULT Huntgroup-Name == "WIRELESS", Autz-Type := WIRELESS
Basically, what happens then is:
1. preprocess run
2. files run, autz-type set
3. authorize re-run, autz-type section run
4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is
NOT SET, set Auth-Type to "modulename" - i.e. "wireless_ldap" or "vpn_ldap"
5. authenticate run, appropriate LDAP module run
More information about the Freeradius-Users
mailing list