different LDAP settings for each client/site

Herbert Fischer herbert.fischer at gmail.com
Fri May 13 20:34:41 CEST 2011 

Ok, I've did this, but the group testing is not working.

server twofactor {

    authorize {
        preprocess
        auth_log
        suffix
        pap
        perl

        if (User-Password =~ /^(.+?)([0-9]{6})$/) {
            update request {
                User-Password := "%{1}"
                One-Time-Password := "%{2}"
            }
        }

        update control {
            Auth-Type := TwoFactor
        }

        if (ldap_group-LDAP-Group != "somegroup") {
            reject
        }
    }

    authenticate {
        Auth-Type TwoFactor {
            perl
            ldap_group
        }

        perl
        ldap_group
    }

...

}


Output:

rlm_ldap::ldap_groupcmp: User found in group somegroup
ldap_msgfree
  [ldap_group] ldap_release_conn: Release Id: 0
? Evaluating (ldap_group-LDAP-Group != "somegroup") -> TRUE
++? if (ldap_group-LDAP-Group != "somegroup") -> TRUE
++- entering if (ldap_group-LDAP-Group != "somegroup") {...}
+++[reject] returns reject
++- if (ldap_group-LDAP-Group != "r7arq") returns reject
} # server hotp
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/hotp
+- entering group REJECT {...}



On Fri, May 13, 2011 at 10:53 AM, Herbert Fischer <herbert.fischer at gmail.com
> wrote:

> Thanks Alan!
>
> And how do I tell Freeradius that only some LDAP groups can authenticate
> against a client?
> I read the docs but did not understood the connection between the users
> file and the virtual server conf.
>
> best regards
>
> On Fri, May 13, 2011 at 2:28 AM, Alan DeKok <aland at deployingradius.com>wrote:
>
>> Herbert Fischer wrote:
>> > I would like to setup LDAP module with different settings for different
>> > clients.
>> >
>> > How can I do this?
>>
>>   Either set up a different virtual server for each client, OR use
>> "unlang" to check "if client X, use ldap X"
>>
>> > Can I setup multiple LDAP module settings and specify which one I would
>> > like to use for a site or client?
>>
>>   Yes, but you need to edit the "authorize" section to replace:
>>
>>        ldap
>>  with
>>
>>        if (client 1 ..) {
>>                ldap1
>>        }
>>        elsif (client 2...) {
>>                ldap2
>>        }
>>        ...
>>
>> > Can I define some of the LDAP settings inside the site or client config?
>>
>>   No.
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110513/c7fafcea/attachment.html>

More information about the Freeradius-Users mailing list