Questions about ldap authentication, huntgroup and authorize file

Alan DeKok aland at deployingradius.com
Tue Oct 10 21:37:35 CEST 2017 

On Oct 10, 2017, at 12:00 PM, Jérôme BERTHIER <Jerome.Berthier at inria.fr> wrote:
> 
> Something like that ?
> 
>         if (Ldap-Group == "ldap_group_1" && Huntgroup-Name == "JuniperNet") {
>                 update {
>             reply:Service-Type = Login
>                         reply:Juniper-Local-User-Name := "radius-admin"
>                 }
>         }
>         elsif (Ldap-Group == "ldap_group_1" && Huntgroup-Name == "JuniperNet") {
>                 update {
>             reply:Service-Type = Login
>                         reply:Juniper-Local-User-Name := "radius-operator"
>                 }
>         }
>         elsif (Huntgroup-Name == "JuniperNet") {
>                  reject
>         }

  Yes, that should work.  Tho there's no need to check the Huntgroup-Name over and over again.  You could just do:

   if (Huntgroup-Name == "JuniperNet") {
	if (Ldap-Group == "ldap_group_1") {
        	update reply {
			Service-Type = Login
                        Juniper-Local-User-Name := "radius-admin"
                }     
	}
	elsif (Ldap-Group == "ldap_group_1") {
               update reply {
			Service-Type = Login
                        Juniper-Local-User-Name := "radius-operator"
                }
	}
	else {
		reject
	}
   }

  That seems a lot clearer.

> Do you mean that I need to setup one module file for each ldap server ?

  If the LDAP servers are different, yes.

  Your previous message mentioned multiple LDAP instances.  So... do you have multiple instances or not?

> In the file authorize, I tried to use this attribute associated to each ldap server listed in the module file ldap.
> For example :
> DEFAULT     myldap1-Ldap-Group=="ldap_group_1" , Huntgroup-Name == JuniperNet
>             Service-Type = Login,
>             Juniper-Local-User-Name := "radius-admin"
> 
> then radiusd does not start because the attribute is unknown :
> 
> /etc/raddb/mods-config/files/authorize[229]: Parse error (check) for entry DEFAULT: Unknown attribute "myldap1-Ldap-Group"
> Failed reading /etc/raddb/mods-config/files/authorize
> /etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"

  Do you have an LDAP module which has:

	ldap myldap1 {
		...
	}

  ?

  Again, see the comments in raddbs/mods-available/ldap.  Or the Wiki.  This is all documented.

  Alan DeKok.

More information about the Freeradius-Users mailing list