authorization depending on authentication (ldap)

tschaos at gmx.net tschaos at gmx.net
Thu Jan 5 13:56:35 CET 2006


sorry, now i understand what you meant with that:

> > ldap1:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP1
> > 
> > ldap2:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP2
> >
> > ldap3:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP3

i should chance the ldap-directory. isnt it possible to make it fit my needs
without changing the ldap-directory? without freeradius-1.1?


> --- Ursprüngliche Nachricht ---
> Von: tschaos at gmx.net
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: authorization depending on authentication (ldap)
> Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET)
> 
> > I assume you meant
> >
> > if authentication runs over ldap1 authorize on ldap1
> > if authentication runs over ldap2 authorize on ldap2
> > if authentication runs over ldap3 authorize on ldap3
> 
> sorry my fault - should check my copy-paste better ;-)
> 
> 
> > The authenticate processing should set Auth-Type to an unique value
> > for each instance.  If you're using the default schema, then you can
> > do that by adding a radiusAuthType ldap attribute to each user.  Or
> > maybe better:  Use a default profile to set the appropriate
> > radiusAuthType for each ldap instance.
> > 
> > E.g. add something like this to the directories:
> > 
> > ldap1:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP1
> > 
> > ldap2:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP2
> >
> > ldap3:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP3
> 
> hm, i dont understand where i should add this kind of lines. i guess they
> should be in the users file as an default entry.
> 
> can you give a complete working sample for such an entry? sorry if this
> would be base-knowledge but i dont know how to check ldap-settings in the
> users file.
> 
> thanks in advance
> 
> Stefan
> 
> > --- Ursprüngliche Nachricht ---
> > Von: Bjørn Mork <bjorn at mork.no>
> > An: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> > Betreff: Re: authorization depending on authentication (ldap)
> > Datum: Thu, 05 Jan 2006 11:56:33 +0100
> > 
> > tschaos at gmx.net writes:
> > 
> > > i am running freeradius-1.0.2-5.5
> > 
> > > there are 3 ldap instances:
> > > ldap1,ldap2,ldap3.
> > >
> > > and authenticate them all after another in the authentication section
> > like
> > > this:
> > >
> > > authenticate {
> > >                 ldap1
> > >                 ldap2
> > >                 ldap3
> > > }
> > >
> > > same in authorize-section:
> > >
> > > authorize {
> > >                 ldap1
> > >                 ldap2
> > >                 ldap3
> > > }
> > >
> > > now my problem is, that if the user x is authenticated at ldap2 for
> > instance
> > > the authorization fails cause the user isnt found at ldap1 (freeradius
> > > doesnt seem to try authorizing on ldap2 or ldap3)
> > >
> > > what i need would be a solution how to realize the following needs:
> > >
> > > if authentication runs over ldap1 authorize on ldap1
> > > if authentication runs over ldap1 authorize on ldap2
> > > if authentication runs over ldap1 authorize on ldap3
> > >
> > > how can i do that?
> > 
> > I assume you meant 
> > 
> >  if authentication runs over ldap1 authorize on ldap1
> >  if authentication runs over ldap2 authorize on ldap2
> >  if authentication runs over ldap3 authorize on ldap3
> > 
> > 
> > The authenticate processing should set Auth-Type to an unique value
> > for each instance.  If you're using the default schema, then you can
> > do that by adding a radiusAuthType ldap attribute to each user.  Or
> > maybe better:  Use a default profile to set the appropriate
> > radiusAuthType for each ldap instance.
> > 
> > E.g. add something like this to the directories:
> > 
> > ldap1:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP1
> > 
> > ldap2:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP2
> > 
> > ldap3:
> >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> >         radiusAuthType: LDAP3
> > 
> > And then in radiusd.conf:
> > 
> > modules {
> >         ..
> >         ldap ldap1 {
> >                 ..
> >                 default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> >                 ..
> >         }
> >         ldap ldap2 {
> >                 ..
> >                 default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> >                 ..
> >         }
> >         ldap ldap3 {
> >                 ..
> >                 default_profile = "cn=radprofile,ou=dialup,o=My
> Org,c=UA"
> >                 ..
> >         }
> > }
> > ..
> > authorize {
> >           Auth-Type LDAP1 {
> >                  ldap1
> >           }
> >           Auth-Type LDAP2 {
> >                  ldap2
> >           }
> >           Auth-Type LDAP3 {
> >                  ldap3
> >           }
> > }
> > 
> > 
> > 
> > 
> > Note: This would be a lot easier with freeradius-1.1, where I believe
> > something like this would have been sufficient since rlm_ldap now sets
> > Auth-Type to the instance name by default:
> > 
> > authorize {
> >           Auth-Type ldap1 {
> >                  ldap1
> >           }
> >           Auth-Type ldap2 {
> >                  ldap2
> >           }
> >           Auth-Type ldap3 {
> >                  ldap3
> >           }
> > }
> > 
> > 
> > 
> > Bjørn
> > 
> > - 
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > 
> 
> -- 
> Telefonieren Sie schon oder sparen Sie noch?
> NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

-- 
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner



More information about the Freeradius-Users mailing list