More documentation on Auth-Type

Rohaizam Abu Bakar haizam at myjaring.net
Wed Aug 9 02:54:17 CEST 2006 

For the 2nd option.. already tried almost the same except the auth-type 
name... Previously tried autz & auth type using the same name... Will try it 
out as suggested... thx Phil

--haizam

----- Original Message ----- 
From: "Phil Mayers" <p.mayers at imperial.ac.uk>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, August 08, 2006 6:28 PM
Subject: Re: More documentation on Auth-Type


> Rohaizam Abu Bakar wrote:
>> any docs to help on my problem... ? in doc/rlm_ldap, there is section 
>> about LDAP XLAT.. Is it the one ?
>
> As far as I know, you should be able to do something like:
>
> modules {
>   files {
>     usersfile = users
>   }
>   files wireless_files {
>     usersfile = wireless_users
>   }
>   files vpn_files {
>     usersfile = vpn_users
>   }
>   ldap {
>     basedn = "%{reply:Tmp-String-1}"
>     ...
>   }
> }
>
> authorize {
>   files
>   Autz-Type WIRELESS {
>     wireless_files
>     ldap
>   }
>   Autz-Type VPN {
>     vpn_files
>     ldap
>   }
> }
>
> users:
>
> DEFAULT Huntgroup-Name == "whatever", Autz-Type := WIRELESS
>
> DEFAULT Huntgroup-Name == "something", Autz-Type := VPN
>
> users_vpn:
>
> DEFAULT
> Tmp-String-1 = "ou=vpnusers,dc=mydomain,dc=org"
>
> users_wireless:
>
> DEFAULT
> Tmp-String-1 = "ou=wireless,dc=anotherdomain,dc=com"
>
> You may need to add Tmp-String-1 to a local dictionary if you're running 
> an older server, e.g. in "dictionary"
>
> ATTRIBUTE Tmp-String-1 3000 string
>
>
> Alternatively, 1.1.0 and up can do this I think?
>
> modules {
>   ldap wireless_ldap {
>     basedn = "ou=wireless,dc=domain,dc=com"
>     set_auth_type = yes
>   }
>   ldap vpn_ldap {
>     basedn = "ou=vpn,dc=example,dc=org"
>     set_auth_type = yes
>   }
>   files {
>    ...
>   }
> }
>
> authorize {
>   preprocess
>   files
>   Autz-Type WIRELESS {
>     wireless_ldap
>   }
>   Autz-Type VPN {
>     vpn_ldap
>   }
> }
>
> authenticate {
>   Auth-Type wireless_ldap {
>     wireless_ldap
>   }
>   Auth-Type vpn_ldap {
>     vpn_ldap
>   }
> }
>
> and in users:
>
> DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN
>
> DEFAULT Huntgroup-Name == "WIRELESS", Autz-Type := WIRELESS
>
>
> Basically, what happens then is:
>
>  1. preprocess run
>  2. files run, autz-type set
>  3. authorize re-run, autz-type section run
>  4. appropriate LDAP module run, and IF AND ONLY IF the Auth-Type is NOT 
> SET, set Auth-Type to "modulename" - i.e. "wireless_ldap" or "vpn_ldap"
>  5. authenticate run, appropriate LDAP module run
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list