authorization based on ldap attribute
Gregg Douglas
douglagm at gmail.com
Thu Sep 20 14:35:28 CEST 2012
>
>
>>
> 1. Edit "raddb/dictionary" to define a local attribute to store the data
>
> ATTRIBUTE Eduroam-Enabled 3010 string
>
> 2. Modify "ldap.attrmap" to copy your LDAP attribute into this local
> RADIUS attribute:
>
> replyItem Eduroam-Enabled haDirittoEduroam
>
> 3. Check the attribute like so in "sites-enabled/inner-tunnel":
>
> authorize {
> ...
> ldap
> if (reply:Eduroam-Enabled != "Y") {
> reject
> }
> ...
> }
>
> With this reject command in the authorize section is there a method to
supply a custom reply message?
An observation I made with the if statement as above, if the attribute is
not present on the user object it will evaluate false, thus allowing the
user access.
Thu Sep 20 14:31:23 2012 : Info: ++? if (reply:RadiusAccess != "TRUE")
Thu Sep 20 14:31:23 2012 : Info: (Attribute reply:RadiusAccess was not
found)
Thu Sep 20 14:31:23 2012 : Info: ? Evaluating (reply:RadiusAccess !=
"TRUE") -> FALSE
Thu Sep 20 14:31:23 2012 : Info: ++? if (reply:RadiusAccess != "TRUE") ->
FALSE
This can prevented by following Phil's suggestion to only search for users
with the required attribute
filter =
"(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(rADIUSEnableDialAccess=*))"
> There are probably other ways to do it, including using an "xlat" to
> lookup the attribute i.e. variation of step 2, or modifying the ldap
> queries to only "see" those users.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120920/f1a13d4f/attachment.html>
More information about the Freeradius-Users
mailing list