LDAP->RADIUS Attribute Mapping
Alan DeKok
aland at deployingradius.com
Fri Dec 8 20:21:59 CET 2006
Owen DeLong wrote:
> We have historically used the AuthorizedService attribute in LDAP to
> control the level
> of access available to the user. We would like to continue to do so.
> However, in order
> for that to work, I need to map AuthorizedService to different RADIUS
> attributes in
> the response depending on the authentication client.
Do it in two steps. Map the AuthorisedService LDAP attribute to a
RADIUS attribute (invent a local one, see the dictionary docs), and then
depending on the NAS, map that to another attribute.
The reason for doing it this way is that the LDAP -> RADIUS attribute
mapping is simple, and should be kept simple.
> Ideally, I'd like to be able to map RADIUS clients into "groups" and
> have a mapping
> of AuthorizedService values for each group. The client groups would,
> ideally,
> be defined by matching the client IP address. An example of what I'd
> like that
> mapping to look like is below:
Use rlm_passwd to map clients to groups (see it's documentation), and
then the "users" file to map AuthorizedService to another RADIUS
attribute, as described above.
> Alan, your flames and RTFM comments are welcome, but, please understand,
> I've done my best to RTFM before posting this.
As I tell my co-workers, "Remember, there are no stupid questions.
There are only stupid people.".
And they still speak to me after that. :)
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list