feature request: ldap enhancements

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Jan 13 22:31:46 CET 2014


> 
> I know the dynamic client feature.  Here we're looking for the possibility to manage client ip ranges within ldap also. If using dynamic clients server the ip range clients come from must not be defined in clients.conf.
> So I see, the only way to using the full management of radius clients in ldap is to restart fr server after adding client definitions in ldap.

Yes, for now.

> Ok, if I understand this correct I need for each RADIUS Client a separate ldap object in a different ou?

Well it doesn't *have* to be in a different OU, but it's probably better to do that, and they don't have to be separate from the clients you load in with the LDAP module at startup.

> And how can I join the "NAS groups" with the user objects in order to restrict access for user1 to NAS group 1+2 and for user2 to NAS group 2+3 ?
> 

You ned two instance of the LDAP module because the configurations are quite different. One you'd set to filter on user objects, the other would be radiusClient objects.

ldap user {

}

ldap nas {

}


authorize {
	user
	nas


	if ((NAS-LDAP-Group == 'foo' || NAS-LDAP-Group == 'bar') && (User-LDAP-Group == 'baz')) {

	}
}

To search for the NAS you probably want to use shortname, and you'll need to make sure that's unique.

        user {
                #   Where to start searching in the tree for users
                base_dn = "${..base_dn}"

                #  Filter for user objects, should be specific enough
                #  to identify a single user object.
                filter = "(&(radiusClientShortname=%{client:shortname})(objectclass=radiusClient))"
		
		...
	}

IIRC the current client xlat doesn't let you retrieve ID, and you can't use IP addresses if you're using ranges because the LDAP server won't have operators for comparing IPs/ranges.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140113/2c1dbdc6/attachment.pgp>


More information about the Freeradius-Users mailing list