authorization depending on authentication (ldap)
tschaos at gmx.net
tschaos at gmx.net
Thu Jan 5 13:30:16 CET 2006
> I assume you meant
>
> if authentication runs over ldap1 authorize on ldap1
> if authentication runs over ldap2 authorize on ldap2
> if authentication runs over ldap3 authorize on ldap3
sorry my fault - should check my copy-paste better ;-)
> The authenticate processing should set Auth-Type to an unique value
> for each instance. If you're using the default schema, then you can
> do that by adding a radiusAuthType ldap attribute to each user. Or
> maybe better: Use a default profile to set the appropriate
> radiusAuthType for each ldap instance.
>
> E.g. add something like this to the directories:
>
> ldap1:
> dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> radiusAuthType: LDAP1
>
> ldap2:
> dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> radiusAuthType: LDAP2
>
> ldap3:
> dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> radiusAuthType: LDAP3
hm, i dont understand where i should add this kind of lines. i guess they
should be in the users file as an default entry.
can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in the
users file.
thanks in advance
Stefan
> --- Ursprüngliche Nachricht ---
> Von: Bjørn Mork <bjorn at mork.no>
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: authorization depending on authentication (ldap)
> Datum: Thu, 05 Jan 2006 11:56:33 +0100
>
> tschaos at gmx.net writes:
>
> > i am running freeradius-1.0.2-5.5
>
> > there are 3 ldap instances:
> > ldap1,ldap2,ldap3.
> >
> > and authenticate them all after another in the authentication section
> like
> > this:
> >
> > authenticate {
> > ldap1
> > ldap2
> > ldap3
> > }
> >
> > same in authorize-section:
> >
> > authorize {
> > ldap1
> > ldap2
> > ldap3
> > }
> >
> > now my problem is, that if the user x is authenticated at ldap2 for
> instance
> > the authorization fails cause the user isnt found at ldap1 (freeradius
> > doesnt seem to try authorizing on ldap2 or ldap3)
> >
> > what i need would be a solution how to realize the following needs:
> >
> > if authentication runs over ldap1 authorize on ldap1
> > if authentication runs over ldap1 authorize on ldap2
> > if authentication runs over ldap1 authorize on ldap3
> >
> > how can i do that?
>
> I assume you meant
>
> if authentication runs over ldap1 authorize on ldap1
> if authentication runs over ldap2 authorize on ldap2
> if authentication runs over ldap3 authorize on ldap3
>
>
> The authenticate processing should set Auth-Type to an unique value
> for each instance. If you're using the default schema, then you can
> do that by adding a radiusAuthType ldap attribute to each user. Or
> maybe better: Use a default profile to set the appropriate
> radiusAuthType for each ldap instance.
>
> E.g. add something like this to the directories:
>
> ldap1:
> dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> radiusAuthType: LDAP1
>
> ldap2:
> dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> radiusAuthType: LDAP2
>
> ldap3:
> dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> radiusAuthType: LDAP3
>
> And then in radiusd.conf:
>
> modules {
> ..
> ldap ldap1 {
> ..
> default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> ..
> }
> ldap ldap2 {
> ..
> default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> ..
> }
> ldap ldap3 {
> ..
> default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> ..
> }
> }
> ..
> authorize {
> Auth-Type LDAP1 {
> ldap1
> }
> Auth-Type LDAP2 {
> ldap2
> }
> Auth-Type LDAP3 {
> ldap3
> }
> }
>
>
>
>
> Note: This would be a lot easier with freeradius-1.1, where I believe
> something like this would have been sufficient since rlm_ldap now sets
> Auth-Type to the instance name by default:
>
> authorize {
> Auth-Type ldap1 {
> ldap1
> }
> Auth-Type ldap2 {
> ldap2
> }
> Auth-Type ldap3 {
> ldap3
> }
> }
>
>
>
> Bjørn
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Telefonieren Sie schon oder sparen Sie noch?
NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
More information about the Freeradius-Users
mailing list