combining LDAP and SQL
mj mailing lists user
mj at resulb.ulb.ac.be
Thu Nov 27 11:42:00 CET 2008
Hi,
I've got a working (my)sql freeradius2.1 configuration where users are put in groups (usergroup). I added an 'IP' column to radgroupcheck table so that I can force radius clients into some groups (via %{Client-IP-Address} ) .
This allows me to say who can connect from where (WiFi, Dialup, StudentRooms,...) and have users in multiple groups
Up to now all my users are stored in the db.
I'm now asked to integrate a new LDAP server into the equation.
Not all users will be put in LDAP (guest users, conference groups will stay in the DB). So there still be users in the DB.
All LDAP users have to be granted WiFi access.
Other access are DB dependent (dialup,StudentRooms,...)
I've tried to add both ldap and sql authorization but I've got trouble limiting LDAP users.
This is how it should work:
a: if LDAP OK and client is in "WiFi" accept
b: if LDAP OK and user in usergroup for the right group (%{Client-IP-Address} dependent) accept
c: if LDAP !OK do the classic sql processing.
If I understand well the usual sql process is as follows:
1. check user in radcheck
2. if found check user in usergroup
3. if found check radgroupcheck
But if LDAP knows the user I've got to add 'WiFi' group to the result of the usergroup query and skip the radcheck query
Do you see a way through this?
Thanks for reading me.
Michel
More information about the Freeradius-Users
mailing list