authorization based on ldap attribute
Phil Mayers
p.mayers at imperial.ac.uk
Wed Sep 19 18:37:43 CEST 2012
On 19/09/12 17:03, Stefano Zanmarchi wrote:
> Hallo,
> I've configured freeradius to authenticate users with PEAP, using
> openldap to store NTLM hashes. It works fine.
> Now I'd like to authorize only people who have the ldap attribute
> "haDirittoEduroam" set to Y
> (or the other way round: not to authorize users with
> "haDirittoEduroam" set to N).
> Below an example openldap entry.
> Is there an easy way to achive this?
1. Edit "raddb/dictionary" to define a local attribute to store the data
ATTRIBUTE Eduroam-Enabled 3010 string
2. Modify "ldap.attrmap" to copy your LDAP attribute into this local
RADIUS attribute:
replyItem Eduroam-Enabled haDirittoEduroam
3. Check the attribute like so in "sites-enabled/inner-tunnel":
authorize {
...
ldap
if (reply:Eduroam-Enabled != "Y") {
reject
}
...
}
There are probably other ways to do it, including using an "xlat" to
lookup the attribute i.e. variation of step 2, or modifying the ldap
queries to only "see" those users.
More information about the Freeradius-Users
mailing list