check ldap users with different client IP's

Josip Rodin joy at entuzijast.net
Wed May 26 13:27:15 CEST 2010


On Wed, May 26, 2010 at 05:27:47PM +0800, Stephon Chen wrote:
> I've used freeradius as the front of a LDAP server.
> 
> Here, I want to allow different access rights for each LDAP group & client
> ip address
> For example below:
> 
> user X in LDAP group A, from ip  IP-A
> user Y in LDAP group B, from ip IP-B
> 
> if the user is from IP-A and user in LDAP group A, then send Accept-Accept
> packet
> 
> How do this be done with freeradius?

Read the group attribute from LDAP and put it into a RADIUS attribute (cf.
ldap.attrmap), and then check its value in the post-auth section using
some unlang comparison. If you keep the list of IP-A, IP-B, ... in LDAP,
you can use the same source; otherwise keep a static list or do an SQL
lookup or whatever.

-- 
     2. That which causes joy or happiness.



More information about the Freeradius-Users mailing list