General question about authentication/authorization

George C. Kaplan gckaplan at ack.berkeley.edu
Fri Mar 17 17:45:31 CET 2006


Florian Prester wrote:

>>> Now the big question:
>>> If I have an user who is authenticate, meaning correct username +
>>> password whereas the password is stored in LDAP.
>>> I want to replay attributes according th some other information
>>> stored in LDAP - how can I do such a thing, like:
>>> IF ldap-attribute::xy == valid_1 THEN RETURN ldap-attribute::IP-good,
>>> ELSIF dap-attribute::xy == valid_2 THEN RETURN
>>> ldap-attribute::IP-better,
>>> ELSE RETURN ldap-attribute::IP-bad

> ok, lets assume a user can authenticate because he/she supplys a valid
> username/password e.g. using PAP. Now the user is authenticated.
> But I want to allow access to something not only if the user is
> authenticated, but also if a given attribute is present in the users
> ldap enty.
> How can I do that?

We faced a similar problem recently.  The issue is that the rlm_ldap
module is designed to work in the same way as the 'users' file:  compare
incoming "request" attributes to "check" attributes from LDAP, and
authorize the user if they match.

If you control the LDAP schema, then you can do what you want by simply
adding the reply attributes to each user's LDAP profile.  Users with 'xy
== valid_1' get 'IP-good', users with 'xy == valid_2' get 'IP-better',
and so on.

If you *don't* control the LDAP schema (as in our case), you'll have to
something else.  We combined LDAP with rlm_perl, something like this:

- Define site-local RADIUS attributes in the dictionary, and map them as
check items to the LDAP attributes of interest in 'ldap.attrmap'.

- Define an Autz-Type using both LDAP and rlm_perl, in 'radiusd.conf':

  authorize {
    ...
    Autz-Type our-autz {
       ldap {
          notfound = reject
       }
       perl {
          notfound = reject
       }
    }
    ...
  }

- Configure rlm_perl to call a perl script to compare the retrieved LDAP
attributes according to your policy and add the appropriate reply
attributes.

-- 
George C. Kaplan                            gckaplan at ack.berkeley.edu
Communication & Network Services            510-643-0496
University of California at Berkeley



More information about the Freeradius-Users mailing list