LDAP->RADIUS Attribute Mapping

Alan DeKok aland at deployingradius.com
Fri Dec 8 20:21:59 CET 2006


Owen DeLong wrote:

> We have historically used the AuthorizedService attribute in LDAP to
> control the level
> of access available to the user.  We would like to continue to do so. 
> However, in order
> for that to work, I need to map AuthorizedService to different RADIUS
> attributes in
> the response depending on the authentication client.

  Do it in two steps.  Map the AuthorisedService LDAP attribute to a
RADIUS attribute (invent a local one, see the dictionary docs), and then
depending on the NAS, map that to another attribute.

  The reason for doing it this way is that the LDAP -> RADIUS attribute
mapping is simple, and should be kept simple.

> Ideally, I'd like to be able to map RADIUS clients into "groups" and
> have a mapping
> of AuthorizedService values for each group.  The client groups would,
> ideally,
> be defined by matching the client IP address. An example of what I'd
> like that
> mapping to look like is below:

  Use rlm_passwd to map clients to groups (see it's documentation), and
then the "users" file to map AuthorizedService to another RADIUS
attribute, as described above.

> Alan, your flames and RTFM comments are welcome, but, please understand,
> I've done my best to RTFM before posting this.

  As I tell my co-workers, "Remember, there are no stupid questions.
There are only stupid people.".

  And they still speak to me after that. :)

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list