authorization depending on authentication (ldap)

Bjørn Mork bjorn at mork.no
Thu Jan 5 11:56:33 CET 2006 

tschaos at gmx.net writes:

> i am running freeradius-1.0.2-5.5

> there are 3 ldap instances:
> ldap1,ldap2,ldap3.
>
> and authenticate them all after another in the authentication section like
> this:
>
> authenticate {
>                 ldap1
>                 ldap2
>                 ldap3
> }
>
> same in authorize-section:
>
> authorize {
>                 ldap1
>                 ldap2
>                 ldap3
> }
>
> now my problem is, that if the user x is authenticated at ldap2 for instance
> the authorization fails cause the user isnt found at ldap1 (freeradius
> doesnt seem to try authorizing on ldap2 or ldap3)
>
> what i need would be a solution how to realize the following needs:
>
> if authentication runs over ldap1 authorize on ldap1
> if authentication runs over ldap1 authorize on ldap2
> if authentication runs over ldap1 authorize on ldap3
>
> how can i do that?

I assume you meant 

 if authentication runs over ldap1 authorize on ldap1
 if authentication runs over ldap2 authorize on ldap2
 if authentication runs over ldap3 authorize on ldap3


The authenticate processing should set Auth-Type to an unique value
for each instance.  If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user.  Or
maybe better:  Use a default profile to set the appropriate
radiusAuthType for each ldap instance.

E.g. add something like this to the directories:

ldap1:
        dn: cn=radprofile,ou=dialup,o=My Org,c=UA
        radiusAuthType: LDAP1

ldap2:
        dn: cn=radprofile,ou=dialup,o=My Org,c=UA
        radiusAuthType: LDAP2

ldap3:
        dn: cn=radprofile,ou=dialup,o=My Org,c=UA
        radiusAuthType: LDAP3

And then in radiusd.conf:

modules {
        ..
        ldap ldap1 {
                ..
                default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
                ..
        }
        ldap ldap2 {
                ..
                default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
                ..
        }
        ldap ldap3 {
                ..
                default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
                ..
        }
}
..
authorize {
          Auth-Type LDAP1 {
                 ldap1
          }
          Auth-Type LDAP2 {
                 ldap2
          }
          Auth-Type LDAP3 {
                 ldap3
          }
}




Note: This would be a lot easier with freeradius-1.1, where I believe
something like this would have been sufficient since rlm_ldap now sets
Auth-Type to the instance name by default:

authorize {
          Auth-Type ldap1 {
                 ldap1
          }
          Auth-Type ldap2 {
                 ldap2
          }
          Auth-Type ldap3 {
                 ldap3
          }
}



Bjørn

More information about the Freeradius-Users mailing list