Different reply items out of LDAP depending on the NAS

Peter Lambrechtsen plambrechtsen at gmail.com
Fri Aug 28 21:16:52 CEST 2009


On Sat, Aug 29, 2009 at 7:11 AM, Peter Lambrechtsen <plambrechtsen at gmail.com
> wrote:

> On Fri, Aug 28, 2009 at 10:38 PM, Ivan Kalik <tnt at kalik.net> wrote:
>
>> > I am trying to have a granular based reply items depending on the NAS
>> they
>> > connected to all driven using attributes in LDAP without needing to use
>> > realms.
>> >
>> > IE User A passes just User&Password to NAS A. and gets reply attr
>> > "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA"
>> > attribute in LDAP
>> > Same user logs into NAS B and gets back a "Service-Type=user" and the
>> > value
>> > user comes from an attribute "nasB".
>> >
>> > Looking through the ldap.attrmap it seems to be a static mapping for
>> > Service-Type to be staticly set to a single value from LDAP, but what
>> > happens if I want that value to be different depending on which NAS I
>> have
>> > connected from.
>> >
>> > Have searched around and havn't found any documents talking about how to
>> > have this grainular level of configuration.
>>
>> Well, you have custom attributes in Ldap - translate them to custom
>> attributes in radius (define them first in raddb/dictionary and map them
>> in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)
>>
>> Then use unlang to set service type:
>>
>> if(NAS-IP-Address == NAS A IP) {
>>     update reply {
>>          Service-Type = "%{reply:nasA}"
>>     }
>> }
>> elsif(NAS-IP-Address == NAS B IP) {
>> ...
>
>
> Another thought would be to have ldap group based authorize and attributes
> being passed back.
>
> IE the user has a"member" attributes specifying which services it has
> access to and which attributes to be passed back,
>
> This is the user in LDAP.
>
> dn: cn=user,o=users
> member: cn=admin,ou=nasA,o=radius
> member: cn=user,ou=nasB,o=radius
> member: cn=1,ou=nasC,o=radius
> member: cn=15,ou=nasC,o=radius
> member: cn=somethingelse,o=groups
>
> Then I think I would specify in the clients the update reply  ie:
>
> if(NAS-IP-Address == NAS A IP) {
>
> update reply {
>          Service-Type = "%{reply:nasA}"
>     }
> }
>


What I was actually meaning was:

if(NAS-IP-Address == NAS A IP) {
    if(member contains "ou=nasA,o=radius") {
      if(member = cn=admin,ou=nasA,o=radius)
        update reply {
         Service-Type = "admin"
       }
    }
   }
  }
}

Or something similar.

I assume I would update the post-auth section under sites-enabled/default?
Or would it be under clients.conf or the modules/ldap?


>
>
>
>
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090829/c55d79f0/attachment.html>


More information about the Freeradius-Users mailing list