dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling
schilling2006 at gmail.com
Tue Jan 25 00:40:40 CET 2011
Thanks a lot.
More questions.
If you want to lower the load (and authentication latency) on your AD
servers then you might want to look at the following too:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html
I am trying to follow your comment on this. I now realized we used to
run eDir and now converted to iplanet directory. Anyway, do I still
need to enable the compilation --with-edir option as stated below? My
guess is yes since otherwise, I could not call ldap in the post-auth
section in "auth" virtual server for eap.
##etc/raddb/modules/ldap
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
#edir_account_policy_check = no
What I want to do is just to check some attribute in our ldap server,
our structure is like the following:
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=foo,dc=edu> with scope subtree
# filter: uid=sding
# requesting: ALL
#
# sding, People, foo.edu
dn: uid=sding,ou=People,dc=foo,dc=edu
ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE
fooEduPSHRdeptName: Information Technology Service (ITS)
fooEduPSHRDepartmentNumber: 123456
fooEduEmployeeStatus: Active
employeeStatus: Active
uid: sding
I would like to cache the following attribut/value in your example
cache_ldap-userdn.pm, so I can use these values as logic to assign
user to different VLANs. Can I do that in your pm?
fooEduPSHRdeptName: Information Technology Service (ITS)
fooEduPSHRDepartmentNumber: 123456
fooEduEmployeeStatus: Active
employeeStatus: Active
Thanks,
Schilling
On Mon, Jan 24, 2011 at 4:38 PM, Alexander Clouter <alex at digriz.org.uk> wrote:
> schilling <schilling2006 at gmail.com> wrote:
>>
>> I am trying to play with your configuration, basically I have a
>> virtual server call auth as your example, and modified my eap.conf for
>> peap to use auth.
>>
>> what's the config:local.MY.realm? My debug showed
>>
> Phil pretty much covered it (and in a neater manner I was not aware
> could be used, but it is obvious now seeing it...), I put all the 'local
> site' specific details into a single configuration file (including
> SQL/LDAP binding credentials) so that if I want to give someone a copy
> of my config, ll I have to really do is trim the 'local' file and know I
> have not leaked anything important.
>
> For example, just after '$INCLUDE clients.conf' in the main radiusd.conf
> file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file
> is:
> ----
> local.MY.hostname = iodine.it.soas.ac.uk
> local.MY.addr.v6 = 2001:630:1b:6004:168c:9d91:127f:bb0c
> local.MY.addr.v4 = 212.219.138.70
>
> local.MY.realm = soas.ac.uk
>
> local.addr.v6 = 2001:630:1b:1001:624a::15bb
> local.addr.v4 = 193.63.73.37
>
> local.test.username = test-username
> local.test.password = [ahem]
>
> local.ldap.server.1 = ldap1.soas.ac.uk
> local.ldap.server.2 = ldap2.soas.ac.uk
> local.ldap.username = cn=cheese,ou=is,o=tasty
> local.ldap.password = NOM
>
> local.sql.server = sql.soas.ac.uk
> local.sql.username = radius-username
> local.sql.password = oh-so-very-secret
>
> local.cert.password = omg-do-not-tell-anyones
>
> [snipped]
>
> $INCLUDE ${confdir}/LOCAL/templates.conf
>
> $INCLUDE ${confdir}/LOCAL/policy.conf
>
> $INCLUDE ${confdir}/LOCAL/proxy.conf
>
> $INCLUDE ${confdir}/LOCAL/clients/
> ----
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: Riches cover a multitude of woes.
> -- Menander
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list