combining LDAP and SQL

mj mailing lists user mj at resulb.ulb.ac.be
Thu Nov 27 11:42:00 CET 2008


Hi,

I've got a working (my)sql freeradius2.1 configuration where users are put in groups (usergroup). I added an 'IP' column to radgroupcheck table so that I can force radius clients into some groups (via %{Client-IP-Address} ) .

This allows me to say who can connect from where (WiFi, Dialup, StudentRooms,...) and have users in multiple groups
Up to now all my users are stored in the db.

I'm now asked to integrate a new LDAP server into the equation.
Not all users will be put in LDAP (guest users, conference groups will stay in the DB). So there still be users in the DB.
All LDAP users have to be granted WiFi access.
Other access are DB dependent (dialup,StudentRooms,...)

I've tried to add both ldap and sql authorization but I've got trouble limiting LDAP users.

This is how it should work:
a: if LDAP OK and client is in "WiFi" accept
b: if LDAP OK and user in usergroup for the right group (%{Client-IP-Address} dependent) accept
c: if LDAP !OK do the classic sql processing.

If I understand well the usual sql process is as follows:
  1. check user in radcheck
  2.  if found check user in usergroup
  3.   if found check radgroupcheck

But if LDAP knows the user I've got to add 'WiFi' group to the result of the usergroup query and skip the radcheck query

Do you see a way through this?

Thanks for reading me.

Michel







More information about the Freeradius-Users mailing list