multiple Autz-Type
wekz
fbl.list at gmail.com
Wed Jun 7 10:01:33 CEST 2006
Ooo
I think I found the solution: in users-vlan i changed the lines for this
DEFAULT ldap1-Ldap-Group==Local
Tunnel-Type=VLAN,
Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Local,
Fall-Through = No
DEFAULT ldap1-Ldap-Group==Invitados
Tunnel-Type=VLAN,
Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Invitado,
Fall-Through = No
DEFAULT ldap2-Ldap-Group==Local
Tunnel-Type=VLAN,
Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Local,
Fall-Through = No
DEFAULT ldap2-Ldap-Group==Invitados
Tunnel-Type=VLAN,
Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Invitado,
Fall-Through = No
DEFAULT ldap3-Ldap-Group==Local
Tunnel-Type=VLAN,
Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Local,
Fall-Through = No
DEFAULT ldap3-Ldap-Group==Invitados
Tunnel-Type=VLAN,
Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Invitado,
Fall-Through = No
And it doesn't do unnecessary searches and when it has to, it searches
correctly.
This works but, is it the better way to do it?
2006/6/7, wekz <fbl.list at gmail.com>:
>
> Thanks very much Phil. That works, I think it doesn't work in the hints
> file for the reasons you told me.
>
> Now I've got a new problem. I use the radiusGroupName for making the users
> belong to VLAN1, VLAN2 or VLAN3. So I enable
>
> groupmembership_attribute = radiusGroupName
>
> but I left groupname_attribute and groupmembership_filter commented ( in
> each ldap module ).
>
> In other file called users-vlan I defined this:
>
> DEFAULT Ldap-Group == Local
> stuff for assigning VLAN1
> .....
> The file that determine the users procedence is users-procedence:
>
> DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type=customer1
> .....
>
> The file that proxies ( users-proxy ):
> DEFAULT proxy-to-realm:=CENTRAL
>
> The authorization section:
> ....
> users-procedence
>
> autztype customer1{
> redundant {
> group {
> ldap1 {
> notfound = return
> fail = return
> }
> users-vlan
>
> mschap
> eap
> notfound = 1
> fail = 1
> }
> users-proxy
> }
> }
> .....
>
>
> The situation is: a user that must be authorized against ldap2 make a
> match in the users-procedence file and get customer2 autztype. So the user
> is looked for in ldap2.
>
> 1.- If it fails in the logs I could see radius looking for
> ldap_groupcmp() in ldap3 when all I think it must do is proxy.
> 2.- In case the user is found it make a search too for ldap
> group in ldap3.
>
> I think in the first case there are two problems: it searches when it
> doesn't have to ( unnecessary search ), and it searches bad because it does
> in the last ldap instantiated ( that is ldap3 )
>
> In the second case the problem is that it searches in the last ldap
> instantiated.
>
> (( This configuration works fine when all you have is one ldap ))
>
> Is that a bug ?? I found a similar bug in bug-list but it belongs to
> version 1.0.1 ( bug #163, about unnecessary searches ) and I think a read
> a bug about searching in the last ldap instantiated ( but I think this has
> to be with older versions and I can't find it )
>
> I solved this problem yesterday but I don't know how to say... I solved it
> in a dirty-way ( I hope you understand ). So if you or anyone have an idea
> ...
>
>
>
>
>
> 2006/6/5, Phil Mayers < p.mayers at imperial.ac.uk>:
>
> > wekz wrote:
> > >
> > > I don't know if I have explain it correctly, if I haven't just tell me
> > (
> > > I'm not an english speaker )
> >
> > Your english is great.
> >
> > > My hints file:
> >
> > Nearly there. Try:
> >
> > DEFAULT NAS-IP-Address == 192.168.xx.yy, Autz-Type := LDAPx
> >
> > I'm not sure that'll work in a hints file - so you may need to use a
> > "users" file - hints puts items into the request pairs, Autz-Type needs
> > to go into the configure pairs.
> >
> > Try this:
> >
> > modules {
> > # other stuff
> > files filesFirst {
> > usersfile = ${confdir}/usersFirst
> > }
> > }
> >
> > authorize {
> > preprocess
> > filesFirst
> > Autz-Type LDAP1 {
> > # stuff here
> > ldap1
> > }
> > # other LDAP modules
> > }
> >
> > And in ${confdir}/usersFirst:
> >
> > DEFAULT NAS-IP-Address == 192.168.51.xx, Autz-Type := LDAP1
> >
> > DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type := LDAP2
> >
> > ...and so on.
> >
> > The other slightly simpler way might be to use a "passwd" (badly named)
> > module, e.g.:
> >
> > modules {
> > passwd nas2autz {
> > filename = ${confdir}/nas2autz
> > format = "*NAS-IP-Address:Autz-Type"
> > # set to 0 to read file on every request - slow
> > # but instant-updates
> > hashsize = 100
> > }
> > }
> >
> > authorize {
> > preprocess
> > nas2autz
> > Autz-Type LDAP1 {
> > ldap1
> > }
> > # other Autz
> > }
> >
> > ...and in ${confdir}/nas2autz
> >
> > 192.168.51.xx:LDAP1
> > 192.168.51.yy:LDAP2
> >
> > Hope that helps
> > Phil
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060607/5cd1b540/attachment.html>
More information about the Freeradius-Users
mailing list