Re: Single LDAP, different attributes

Fri, 21 Feb 2003 08:19:11 -0800 


> On Fri, 21 Feb 2003, Joseph Raviele wrote:
>
> > I commented out the files lines because I kept getting errors. When I
looked
> > up the error on the mailing list, it said the solution was to comment
the
> > line out. Is the rest of the config, as far as autztyp, correct?
>
> I think so but you NEED the files module somewhere (in the end) in the
authorize
> section.

Good call. I moved the file line after the autztype statements, but it still
didn't work. I modified the users file by adding an auth-type statement that
follows, and everything worked. Thanks for all of the help.

users:

DEFAULT NAS-IP-Address == 10.x.x.x, Autz-Type := VPN_LDAP, Auth-Type :=
VPN_LDAP
        Fall-Through = No

>
> >
> >
> > > On Thu, 20 Feb 2003, Joseph Raviele wrote:
> > >
> > > > Thanks, for the response, but still no luck. I'm not sure if I'm
just
> > > > exhausted and missing something basic, or just some newbie mistake.
I
> > admit
> > > > I don't understand the whole autztype thing. Here are my files:
> > > >
> > > > users:
> > > > DEFAULT NAS-IP-Address == 10.x.x.x, Autz-Type := VPN_LDAP
> > > >         Fall-Through = Yes
> > > >
> > > > DEFAULT Service-Type == Framed-User
> > > >         Ascend-Assign-IP-Pool = 1,
> > > >         Framed-IP-Address = 255.255.255.254,
> > > >         Framed-MTU = 1524,
> > > >         Service-Type = Framed-User,
> > > >         Fall-Through = Yes
> > > >
> > > > radiusd.conf:
> > > > [omitted]
> > > >
> > > > ldap VPN_LDAP {
> > > >                 server = "ldap.mydomain.com"
> > > >                 basedn = "o=mydomian.com"
> > > >                 filter =
> > > > "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))"
> > > >
> > > > ldap Dial_LDAP {
> > > >                 server = "ldap.mydomain.com"
> > > >                  basedn = "o=mydomain.com"
> > > >                 filter = "(uid=%u)"
> > > > [omitted]
> > > > authorize {
> > > >         autztype VPN_LDAP {
> > > >          VPN_LDAP
> > > >         }
> > > >         autztype Dial_LDAP {
> > > >          Dial_LDAP
> > > >         }
> > > > }
> > >
> > > Do you have the files module in the authorize section?
> > >
> > > > [omitted]
> > > > authenticate {
> > > >          authtype VPN_LDAP {
> > > >          VPN_LDAP
> > > >         }
> > > >         authtype Dial_LDAP {
> > > >           Dial_LDAP
> > > >         }
> > > > }
> > > >
> > > > I have tried several combinations to get the autztype to work. The
> > documents
> > > > I was able to find on it have conflicting info...
> > > >
> > > > Thanks again,
> > > >
> > > > - joe
> > > >
> > > > >
> > > > > > I am currently running FreeRadius 0.8.1 on RedHat 8.0. I have it
> > working
> > > > to
> > > > > > authenticate any user against an iPlanet LDAP server, if the
> > username
> > > > and
> > > > > > password are right it returns an accept and the user is all set.
> > What I
> > > > > > would like to do is tie our 2 Cisco VPN servers into this using
a
> > > > > > pre-existing LDAP attribute. Any user with the proper name and
> > password
> > > > gets
> > > > > > dial in access, but only users with "x121address=yes" (generic
> > > > pre-existing
> > > > > > attribute we chose) get VPN access. I have read through the mail
> > list
> > > > > > archives, searched on the web and tried all of the suggested
> > different
> > > > ways
> > > > > > and none of them seem to work. I have tried multiple instances
of
> > ldap,
> > > > one
> > > > > > with the attribute and one without. I have tried using
autz-type. Is
> > it
> > > > > > possible for someone a little more knowledgeable to point me in
the
> > > > right
> > > > > > direction. It seems as though it should just work with a few
small
> > > > changes
> > > > > > to the radiusd.conf and users file. Thanks in advance for your
time
> > and
> > > > > > help.
> > > > > >
> > > > > > - Joe
> > > > >
> > > > > users file:
> > > > >
> > > > > DEFAULT NAS-IP-Address == My.VPN.Server.Ip, Autz-Type := VPN_LDAP
> > > > >
> > > > > ldap VPN_LDAP {
> > > > > [...]
> > > > > filter =
> > "(&(uid=%{Stripped-User-Name:-%{User-Name}})(x121address=yes))"
> > > > > }
> > > > >
> > > > > blah blah blah
> > > > >
> > > > > >
> > > > > >
> > > > > > -
> > > > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > > > >
> > > > >
> > > > > --
> > > > > Kostas Kalevras Network Operations Center
> > > > > [EMAIL PROTECTED] National Technical University of Athens, Greece
> > > > > Work Phone: +30 210 7721861
> > > > > 'Go back to the shadow' Gandalf
> > > > >
> > > > > -
> > > > > List info/subscribe/unsubscribe? See
> > > > http://www.freeradius.org/list/users.html
> > > > >
> > > >
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > > >
> > >
> > > --
> > > Kostas Kalevras Network Operations Center
> > > [EMAIL PROTECTED] National Technical University of Athens, Greece
> > > Work Phone: +30 210 7721861
> > > 'Go back to the shadow' Gandalf
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> >
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html























					Reply via email to