using different LDAP queries to authorize for different services

Thu Apr 3 05:22:01 CEST 2008

On Thu, 3 Apr 2008, Alan DeKok wrote:

> I have trouble remembering messages from 10 minutes ago.  It's easier
> that way.

There were messages 10 minutes ago?  ;-)

> ...
>>   - My configuration files are nearly "stock", with the exception of the
>>     necessary configuration to get the ldap module talking to the LDAP
>>     server.
>>   - This setup has been running like this now for a couple of days
>>     without any trouble.
>
> And yes, it really is that easy.  ...

And quite frankly, darned amazing!  All (?!? nearly all?) the third-party
documentation out there makes it *seem* difficult.  If nothing else,
not trying to set the Auth-Type anywhere (and letting the server do the
Right Thing) results in a noticeable improvement in RADIUS performance
(at least in the case here, where our old configuration explicitly sets
Auth-Type to LDAP, causing an LDAP-bind for every authentication
request, and we're getting LOTS of authentication requests).

Had I persisted more at getting this right (rather than simply "working")
a couple of years ago when I originally set it up, I likely would have
saved myself many headaches!

>> What I'm aiming to accomplish, however, is that the FreeRADIUS server
>> will authorize users for different services based on a slightly
>> different LDAP query.  ...
>
> You should be able to do this with multiple LDAP modules, or maybe by
> dynamically editing the ldap query.

Dynamically editting the query hadn't occurred to me.  I've been trying
to configure multiple instances of the LDAP module.  Even now
considering dynamically editing the ldap query, I suspect that the
multiple module approach is likely simpler to configure and maintain.

> You have to change the reference to "ldap" in sites-available/default.
> to the instance name.  e.g. "ldap_wireless".

In the "authorize" stanza, then?  So I replace

         #
         #  The ldap module will set Auth-Type to LDAP if it has not
         #  already been set
         ldap

with

         #
         #  The ldap module will set Auth-Type to LDAP if it has not
         #  already been set
         ldap_wireless

or

         #
         #  The ldap module will set Auth-Type to LDAP if it has not
         #  already been set
         ldap ldap_wireless

?

Can I then add an "ldap_vpn" as well, in the same place?

Is this where I should be using

         Autz-Type wireless {
             ldap_wireless
         }
         Autz-Type vpn {
             ldap_vpn
         }
         ...
?

I'm placing the ldap module-instance configuration in radiusd.conf,
and setting Autz-Type in users.  Are these the "correct" places for
those items?

Is there specific documentation I should be re-reading to properly
understand this?  I feel as though I "sort-of" understand the sequence,
from examining debug output, but I don't feel I really know (yet) how to
make the server do my bidding.

-- 
----------------------------------------------------------------------
Sylvain Robitaille                              syl at alcor.concordia.ca

Systems and Network analyst                       Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------