authorization depending on authentication (ldap)
tschaos at gmx.net
tschaos at gmx.net
Thu Jan 5 13:56:35 CET 2006
sorry, now i understand what you meant with that:
> > ldap1:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP1
> >
> > ldap2:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP2
> >
> > ldap3:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP3
i should chance the ldap-directory. isnt it possible to make it fit my needs
without changing the ldap-directory? without freeradius-1.1?
> --- Ursprüngliche Nachricht ---
> Von: tschaos at gmx.net
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: authorization depending on authentication (ldap)
> Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET)
>
> > I assume you meant
> >
> > if authentication runs over ldap1 authorize on ldap1
> > if authentication runs over ldap2 authorize on ldap2
> > if authentication runs over ldap3 authorize on ldap3
>
> sorry my fault - should check my copy-paste better ;-)
>
>
> > The authenticate processing should set Auth-Type to an unique value
> > for each instance. If you're using the default schema, then you can
> > do that by adding a radiusAuthType ldap attribute to each user. Or
> > maybe better: Use a default profile to set the appropriate
> > radiusAuthType for each ldap instance.
> >
> > E.g. add something like this to the directories:
> >
> > ldap1:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP1
> >
> > ldap2:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP2
> >
> > ldap3:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP3
>
> hm, i dont understand where i should add this kind of lines. i guess they
> should be in the users file as an default entry.
>
> can you give a complete working sample for such an entry? sorry if this
> would be base-knowledge but i dont know how to check ldap-settings in the
> users file.
>
> thanks in advance
>
> Stefan
>
> > --- Ursprüngliche Nachricht ---
> > Von: Bjørn Mork <bjorn at mork.no>
> > An: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> > Betreff: Re: authorization depending on authentication (ldap)
> > Datum: Thu, 05 Jan 2006 11:56:33 +0100
> >
> > tschaos at gmx.net writes:
> >
> > > i am running freeradius-1.0.2-5.5
> >
> > > there are 3 ldap instances:
> > > ldap1,ldap2,ldap3.
> > >
> > > and authenticate them all after another in the authentication section
> > like
> > > this:
> > >
> > > authenticate {
> > > ldap1
> > > ldap2
> > > ldap3
> > > }
> > >
> > > same in authorize-section:
> > >
> > > authorize {
> > > ldap1
> > > ldap2
> > > ldap3
> > > }
> > >
> > > now my problem is, that if the user x is authenticated at ldap2 for
> > instance
> > > the authorization fails cause the user isnt found at ldap1 (freeradius
> > > doesnt seem to try authorizing on ldap2 or ldap3)
> > >
> > > what i need would be a solution how to realize the following needs:
> > >
> > > if authentication runs over ldap1 authorize on ldap1
> > > if authentication runs over ldap1 authorize on ldap2
> > > if authentication runs over ldap1 authorize on ldap3
> > >
> > > how can i do that?
> >
> > I assume you meant
> >
> > if authentication runs over ldap1 authorize on ldap1
> > if authentication runs over ldap2 authorize on ldap2
> > if authentication runs over ldap3 authorize on ldap3
> >
> >
> > The authenticate processing should set Auth-Type to an unique value
> > for each instance. If you're using the default schema, then you can
> > do that by adding a radiusAuthType ldap attribute to each user. Or
> > maybe better: Use a default profile to set the appropriate
> > radiusAuthType for each ldap instance.
> >
> > E.g. add something like this to the directories:
> >
> > ldap1:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP1
> >
> > ldap2:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP2
> >
> > ldap3:
> > dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > radiusAuthType: LDAP3
> >
> > And then in radiusd.conf:
> >
> > modules {
> > ..
> > ldap ldap1 {
> > ..
> > default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> > ..
> > }
> > ldap ldap2 {
> > ..
> > default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> > ..
> > }
> > ldap ldap3 {
> > ..
> > default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> > ..
> > }
> > }
> > ..
> > authorize {
> > Auth-Type LDAP1 {
> > ldap1
> > }
> > Auth-Type LDAP2 {
> > ldap2
> > }
> > Auth-Type LDAP3 {
> > ldap3
> > }
> > }
> >
> >
> >
> >
> > Note: This would be a lot easier with freeradius-1.1, where I believe
> > something like this would have been sufficient since rlm_ldap now sets
> > Auth-Type to the instance name by default:
> >
> > authorize {
> > Auth-Type ldap1 {
> > ldap1
> > }
> > Auth-Type ldap2 {
> > ldap2
> > }
> > Auth-Type ldap3 {
> > ldap3
> > }
> > }
> >
> >
> >
> > Bjørn
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> --
> Telefonieren Sie schon oder sparen Sie noch?
> NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner
More information about the Freeradius-Users
mailing list