LDAP for Authorization

Walter Reynolds waltr at umich.edu
Fri May 9 15:33:13 CEST 2014

I would like to use LDAP to be able to authorize a user so if there have a
certain attribute I can return a radius AVP with a VLAN ID in the
access-accept.  This would be used for allowing access to licensed library
resources.  However, I am not sure if I can do this the way my LDAP stuff
is set up.

The attribute that has the data I need is multi-valued.

   - StudentAA, StudentDBRN, and StudentFLNT (continuing and incoming
   students regardless of enrollment; includes detached study);
   - EnrolledStudentAA, EnrolledStudentDBRN, EnrolledStudentFLNT (enrolled
   in at least one credit hour for ""current"" term; next term information is
   used during gap between terms)
   - AlumniAA, AlumniDBRN, AlumniFLNT (any person who has completed at
   least one semester in a degree-granting program)
   - FacultyAA, FacultyDBRN, FacultyFLNT (defined as academic,
   instructional, and research appointments; includes emeritus faculty)
   - RegularStaffAA, RegularStaffDBRN, RegularStaffFLNT (current
   appointment with a status of active, suspended, short-work break, leave, or
   paid leave);
   - TemporaryStaffAA, TemporaryStaffDBRN, TemporaryStaffFLNT (current
   appointment with a status of active, suspended, short-work break, leave, or
   paid leave)
   - Retiree (retired from any U-Mcampus, regardless of other appoints that
   may still be active)
   - SponsoredAffiliateAA, SponsoredAffiliateDBRN, SponsoredAffiliateFLNT
   (has at least one departmental sponsorship).

However, only 5 of them (StudentAA, EnrolledStudentAA, FacultyAA,
RegularStaffAA and TemoraryStaffAA) should get the radius AVP and be
allowed access.  However, when I query I get something like the following

ldapsearch -h ldap.umich.edu
 -ZZ -z0 -x -D <cut> -b ou=people,dc=umich,dc=edu -LLL -s sub
uniqueid=<username> umichinstroles
dn: uid=royboy,ou=People,dc=umich,dc=edu
umichinstroles: RegularStaffAA
umichinstroles: AlumniFLNT

So that is not realyy a group membership.

Is this something I will be able to do?  If not natively can folks mention
other options/solutions?

Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140509/f879bb70/attachment-0001.html>

More information about the Freeradius-Users mailing list