authorization depending on authentication (ldap)

Chaos Commander tschaos at gmx.net
Thu Jan 5 14:59:38 CET 2006


i managed it, there is one attribute in our ldap where i can exactly define
where the user should be authorized.
With the radiusAuthType Attribute it works now perfectly.

thanks a lot for this litte hint :-)

Stefan

> --- Ursprüngliche Nachricht ---
> Von: tschaos at gmx.net
> An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Betreff: Re: authorization depending on authentication (ldap)
> Datum: Thu, 5 Jan 2006 13:56:35 +0100 (MET)
> 
> sorry, now i understand what you meant with that:
> 
> > > ldap1:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP1
> > > 
> > > ldap2:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP2
> > >
> > > ldap3:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP3
> 
> i should chance the ldap-directory. isnt it possible to make it fit my
> needs
> without changing the ldap-directory? without freeradius-1.1?
> 
> 
> > --- Ursprüngliche Nachricht ---
> > Von: tschaos at gmx.net
> > An: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> > Betreff: Re: authorization depending on authentication (ldap)
> > Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET)
> > 
> > > I assume you meant
> > >
> > > if authentication runs over ldap1 authorize on ldap1
> > > if authentication runs over ldap2 authorize on ldap2
> > > if authentication runs over ldap3 authorize on ldap3
> > 
> > sorry my fault - should check my copy-paste better ;-)
> > 
> > 
> > > The authenticate processing should set Auth-Type to an unique value
> > > for each instance.  If you're using the default schema, then you can
> > > do that by adding a radiusAuthType ldap attribute to each user.  Or
> > > maybe better:  Use a default profile to set the appropriate
> > > radiusAuthType for each ldap instance.
> > > 
> > > E.g. add something like this to the directories:
> > > 
> > > ldap1:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP1
> > > 
> > > ldap2:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP2
> > >
> > > ldap3:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP3
> > 
> > hm, i dont understand where i should add this kind of lines. i guess
> they
> > should be in the users file as an default entry.
> > 
> > can you give a complete working sample for such an entry? sorry if this
> > would be base-knowledge but i dont know how to check ldap-settings in
> the
> > users file.
> > 
> > thanks in advance
> > 
> > Stefan
> > 
> > > --- Ursprüngliche Nachricht ---
> > > Von: Bjørn Mork <bjorn at mork.no>
> > > An: FreeRadius users mailing list
> > <freeradius-users at lists.freeradius.org>
> > > Betreff: Re: authorization depending on authentication (ldap)
> > > Datum: Thu, 05 Jan 2006 11:56:33 +0100
> > > 
> > > tschaos at gmx.net writes:
> > > 
> > > > i am running freeradius-1.0.2-5.5
> > > 
> > > > there are 3 ldap instances:
> > > > ldap1,ldap2,ldap3.
> > > >
> > > > and authenticate them all after another in the authentication
> section
> > > like
> > > > this:
> > > >
> > > > authenticate {
> > > >                 ldap1
> > > >                 ldap2
> > > >                 ldap3
> > > > }
> > > >
> > > > same in authorize-section:
> > > >
> > > > authorize {
> > > >                 ldap1
> > > >                 ldap2
> > > >                 ldap3
> > > > }
> > > >
> > > > now my problem is, that if the user x is authenticated at ldap2 for
> > > instance
> > > > the authorization fails cause the user isnt found at ldap1
> (freeradius
> > > > doesnt seem to try authorizing on ldap2 or ldap3)
> > > >
> > > > what i need would be a solution how to realize the following needs:
> > > >
> > > > if authentication runs over ldap1 authorize on ldap1
> > > > if authentication runs over ldap1 authorize on ldap2
> > > > if authentication runs over ldap1 authorize on ldap3
> > > >
> > > > how can i do that?
> > > 
> > > I assume you meant 
> > > 
> > >  if authentication runs over ldap1 authorize on ldap1
> > >  if authentication runs over ldap2 authorize on ldap2
> > >  if authentication runs over ldap3 authorize on ldap3
> > > 
> > > 
> > > The authenticate processing should set Auth-Type to an unique value
> > > for each instance.  If you're using the default schema, then you can
> > > do that by adding a radiusAuthType ldap attribute to each user.  Or
> > > maybe better:  Use a default profile to set the appropriate
> > > radiusAuthType for each ldap instance.
> > > 
> > > E.g. add something like this to the directories:
> > > 
> > > ldap1:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP1
> > > 
> > > ldap2:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP2
> > > 
> > > ldap3:
> > >         dn: cn=radprofile,ou=dialup,o=My Org,c=UA
> > >         radiusAuthType: LDAP3
> > > 
> > > And then in radiusd.conf:
> > > 
> > > modules {
> > >         ..
> > >         ldap ldap1 {
> > >                 ..
> > >                 default_profile = "cn=radprofile,ou=dialup,o=My
> > Org,c=UA"
> > >                 ..
> > >         }
> > >         ldap ldap2 {
> > >                 ..
> > >                 default_profile = "cn=radprofile,ou=dialup,o=My
> > Org,c=UA"
> > >                 ..
> > >         }
> > >         ldap ldap3 {
> > >                 ..
> > >                 default_profile = "cn=radprofile,ou=dialup,o=My
> > Org,c=UA"
> > >                 ..
> > >         }
> > > }
> > > ..
> > > authorize {
> > >           Auth-Type LDAP1 {
> > >                  ldap1
> > >           }
> > >           Auth-Type LDAP2 {
> > >                  ldap2
> > >           }
> > >           Auth-Type LDAP3 {
> > >                  ldap3
> > >           }
> > > }
> > > 
> > > 
> > > 
> > > 
> > > Note: This would be a lot easier with freeradius-1.1, where I believe
> > > something like this would have been sufficient since rlm_ldap now sets
> > > Auth-Type to the instance name by default:
> > > 
> > > authorize {
> > >           Auth-Type ldap1 {
> > >                  ldap1
> > >           }
> > >           Auth-Type ldap2 {
> > >                  ldap2
> > >           }
> > >           Auth-Type ldap3 {
> > >                  ldap3
> > >           }
> > > }
> > > 
> > > 
> > > 
> > > Bjørn
> > > 
> > > - 
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > 
> > 
> > -- 
> > Telefonieren Sie schon oder sparen Sie noch?
> > NEU: GMX Phone_Flat http://www.gmx.net/de/go/telefonie
> > - 
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > 
> 
> -- 
> Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
> Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

-- 
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse für Mail, Message, More +++



More information about the Freeradius-Users mailing list