using different LDAP queries to authorize for different services

Chris cjl at viptalk.net
Thu Apr 3 06:04:11 CEST 2008


On Apr 2, 2008, at 5:52 PM, Alan DeKok wrote:
> Sylvain Robitaille wrote:
>
>> What I'm aiming to accomplish, however, is that the FreeRADIUS server
>> will authorize users for different services based on a slightly
>> different LDAP query.  The users are in various groups, which can be
>> checked by supplying an LDAP query filter that checks the "memberOf"
>> attribute;  Users in group "wireless" should be permitted to use the
>> wireless service; users in group "vpn" should be able to use the VPN
>> service; users in both groups could use either, and users in neither
>> group should be refused for either, etc.
>
>  You should be able to do this with multiple LDAP modules, or maybe by
> dynamically editing the ldap query.
>
>> ...  Running radiusd in debug mode shows that the
>> ldap module is using the configuration for its un-named instance (the
>> default one from the stock config files, with minimal configuration  
>> to
>> permit it to lookup users in our LDAP).
>
>  You have to change the reference to "ldap" in sites-available/ 
> default.
> to the instance name.  e.g. "ldap_wireless".
>

I'm looking to do something similar.

What is the proper way to call a specific LDAP module based on NAS-IP- 
Address (or huntgroup, probably)?

I don't want anything other than files (for overriding LDAP for  
testing) then LDAP.

Obviously, I want to stay as close to the default config as  
possible.  :)





More information about the Freeradius-Users mailing list