grouping services - LDAP

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

grouping services - LDAP

Rohaizam Abu Bakar
Hi all,
 
Using Freeradius 1.0.4 (FB 4.11)
 
 
I want to grouping between dialup & adsl... refer to users file below by if if Ldap-Group ==ADSL is found, should authenticate/authorize by "ldapadsl" and if not found, assuming dialup user and should authenticate/authorize by "ldap1/ldap2" (DIALUP)
 
But the problem, referring to debug log.. doesn't matter whether Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2 & ldapadsl i.e checking "adslAccess & dialAcess" atttribute.
 
What i want is that.. If Ldap-Group ==ADSL is found,  it should be handled by  "ldapadsl" and not checking "ldap1/ldap2" and same goes when not found, it will be handled by "ldap1/ldap2" and not checking "ldapadsl"
 
 
anyone can help.?? thanks
 
--haizam
 
 
 
##################################
users file:
 
DEFAULT         Ldap-Group == "ADSL", Auth-Type := ADSL
 
DEFAULT         Auth-Type := LDAP
 
#####################################################################3
Debug:-
 
rlm_ldap: performing search in ou=RADIUS,ou=People,dc=jaring,dc=my, with filter (&(jaringConnectionType=ADSL)(&(uid=organza)(objectclass=radiusprofile)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group ADSL not found or user is not a member.
    users: Matched entry DEFAULT at line 147
.
.
.
rlm_ldap: checking if remote access for organza is allowed by dialupAccess
.
..
rlm_ldap: no adslAccess attribute - access denied by default
 
 
############################
authenticate {
 
        Auth-Type LDAP {
                redundant {
                        ldap1
                        ldap2
                }
        }
 
 
        Auth-Type ADSL {
                ldapadsl
        }
}
 
#############################
authorize {
 
        redundant {
                ldap1
                ldap2
        }
        ldapadsl
}
 
 
#####################################
ldap ldap1 {
                server = "10.1.1.1"
                basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my"
                access_attr = "dialupAccess"
                 groupname_attribute = jaringConnectionType
                  groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
        }
 
ldap ldap2 {
                server = "10.1.1.2"
                basedn = "ou=RADIUS,ou=People,dc=jaring,dc=my"
                access_attr = "dialupAccess"
                 groupname_attribute = jaringConnectionType
                  groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
        }
 
ldap adsl {
                server = "10.1.1.3"
                basedn = "ou=ADSL,ou=People,dc=jaring,dc=my"
                access_attr = "adslAccess"
                 groupname_attribute = jaringConnectionType
                  groupmembership_filter = "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
        }
############################################
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: grouping services - LDAP

Dusty Doris


On Wed, 20 Jul 2005, Rohaizam Abu Bakar wrote:

> Hi all,
>
> Using Freeradius 1.0.4 (FB 4.11)
>
>
> I want to grouping between dialup & adsl... refer to users file below by
> if if Ldap-Group ==ADSL is found, should authenticate/authorize by
> "ldapadsl" and if not found, assuming dialup user and should
> authenticate/authorize by "ldap1/ldap2" (DIALUP)
>
> But the problem, referring to debug log.. doesn't matter whether
> Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2 &
> ldapadsl i.e checking "adslAccess & dialAcess" atttribute.
>
> What i want is that.. If Ldap-Group ==ADSL is found, it should be
> handled by "ldapadsl" and not checking "ldap1/ldap2" and same goes when
> not found, it will be handled by "ldap1/ldap2" and not checking
> "ldapadsl"
>
>
> anyone can help.?? thanks

Try using Autz Type as well, there is some documentation on it in the doc
dir.

It might look something like this.

DEFAULT Ldap-Group == "ADSL", Autz-Type := ADSL, Auth-Type := ADSL

DEFAULT Autz-Type := LDAP, Auth-Type := LDAP


#############################
 authorize {
       Autz-Type LDAP {
          redundant {
                 ldap1
                 ldap2
         }
       }
       Autz-Type ADSL {
         ldapadsl
       }
 }
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: grouping services - LDAP

Rohaizam Abu Bakar

I've read the doc & do it exactly as suggested and it's working..
thanx....!!

--haizam
----- Original Message -----
From: "Dusty Doris" <[hidden email]>
To: "FreeRadius users mailing list" <[hidden email]>
Sent: Wednesday, July 20, 2005 21:18
Subject: Re: grouping services - LDAP


>
>
> On Wed, 20 Jul 2005, Rohaizam Abu Bakar wrote:
>
>> Hi all,
>>
>> Using Freeradius 1.0.4 (FB 4.11)
>>
>>
>> I want to grouping between dialup & adsl... refer to users file below by
>> if if Ldap-Group ==ADSL is found, should authenticate/authorize by
>> "ldapadsl" and if not found, assuming dialup user and should
>> authenticate/authorize by "ldap1/ldap2" (DIALUP)
>>
>> But the problem, referring to debug log.. doesn't matter whether
>> Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2 &
>> ldapadsl i.e checking "adslAccess & dialAcess" atttribute.
>>
>> What i want is that.. If Ldap-Group ==ADSL is found, it should be
>> handled by "ldapadsl" and not checking "ldap1/ldap2" and same goes when
>> not found, it will be handled by "ldap1/ldap2" and not checking
>> "ldapadsl"
>>
>>
>> anyone can help.?? thanks
>
> Try using Autz Type as well, there is some documentation on it in the doc
> dir.
>
> It might look something like this.
>
> DEFAULT Ldap-Group == "ADSL", Autz-Type := ADSL, Auth-Type := ADSL
>
> DEFAULT Autz-Type := LDAP, Auth-Type := LDAP
>
>
> #############################
> authorize {
>       Autz-Type LDAP {
>          redundant {
>                 ldap1
>                 ldap2
>         }
>       }
>       Autz-Type ADSL {
>         ldapadsl
>       }
> }
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html