More documentation on Auth-Type
Rohaizam Abu Bakar
haizam at myjaring.net
Wed Aug 9 02:54:17 CEST 2006
For the 2nd option.. already tried almost the same except the auth-type
name... Previously tried autz & auth type using the same name... Will try it
out as suggested... thx Phil
--haizam
----- Original Message -----
From: "Phil Mayers" <p.mayers at imperial.ac.uk>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, August 08, 2006 6:28 PM
Subject: Re: More documentation on Auth-Type
> Rohaizam Abu Bakar wrote:
>> any docs to help on my problem... ? in doc/rlm_ldap, there is section
>> about LDAP XLAT.. Is it the one ?
>
> As far as I know, you should be able to do something like:
>
> modules {
> files {
> usersfile = users
> }
> files wireless_files {
> usersfile = wireless_users
> }
> files vpn_files {
> usersfile = vpn_users
> }
> ldap {
> basedn = "%{reply:Tmp-String-1}"
> ...
> }
> }
>
> authorize {
> files
> Autz-Type WIRELESS {
> wireless_files
> ldap
> }
> Autz-Type VPN {
> vpn_files
> ldap
> }
> }
>
> users:
>
> DEFAULT Huntgroup-Name == "whatever", Autz-Type := WIRELESS
>
> DEFAULT Huntgroup-Name == "something", Autz-Type := VPN
>
> users_vpn:
>
> DEFAULT
> Tmp-String-1 = "ou=vpnusers,dc=mydomain,dc=org"
>
> users_wireless:
>
> DEFAULT
> Tmp-String-1 = "ou=wireless,dc=anotherdomain,dc=com"
>
> You may need to add Tmp-String-1 to a local dictionary if you're running
> an older server, e.g. in "dictionary"
>
> ATTRIBUTE Tmp-String-1 3000 string
>
>
> Alternatively, 1.1.0 and up can do this I think?
>
> modules {
> ldap wireless_ldap {
> basedn = "ou=wireless,dc=domain,dc=com"
> set_auth_type = yes
> }
> ldap vpn_ldap {
> basedn = "ou=vpn,dc=example,dc=org"
> set_auth_type = yes
> }
> files {
> ...
> }
> }
>
> authorize {
> preprocess
> files
> Autz-Type WIRELESS {
> wireless_ldap
> }
> Autz-Type VPN {
> vpn_ldap
> }
> }
>
> authenticate {
> Auth-Type wireless_ldap {
> wireless_ldap
> }
> Auth-Type vpn_ldap {
> vpn_ldap
> }
> }
>
> and in users:
>
> DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN
>
> DEFAULT Huntgroup-Name == "WIRELESS", Autz-Type := WIRELESS
>
>
> Basically, what happens then is:
>
> 1. preprocess run
> 2. files run, autz-type set
> 3. authorize re-run, autz-type section run
> 4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT
> SET, set Auth-Type to "modulename" - i.e. "wireless_ldap" or "vpn_ldap"
> 5. authenticate run, appropriate LDAP module run
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list