I find it difficult to get things authorized (Autz-type) because an
entry that is not in LDAP does not get rejected. If the entry is in LDAP
it can be rejected with the "access_attr_used_for_allow = yes".
NOTE: you should use the defaults instead of my test values in the
following examples.
Example: radiusd.conf
modules {
...
ldap ISDN_Users {
server = "ldap.lanl.gov"
net_timeout = 1
timeout = 4
timelimit = 3
ldap_connections_number = 1
access_attr = "employeeNumber"
basedn = "dc=lanl,dc=gov"
filter="(&(objectClass=person)(employeeNumber=%{Stripped-User-Na
me:-%{User-Name}}))"
groupname_attribute = ""
groupmembership_filter = ""
groupmembership_attribute = ""
start_tls = no
access_attr_used_for_allow = yes
}
...
]
authorize {
preprocess
auth_log
files
...
Autz-Type ISDN2 {
ISDN_Users
}
...
authenticate {
krb5
}
-------------------------------------------
Example: users
...
DEFAULT Huntgroup-Name == "ISDN", Simultaneous-Use := 1, Autz-Type :=
ISDN2, Auth-type := Kerberos
Framed-IP-Address = 255.255.255.254,
Service-Type = Framed-User,
Framed-Protocol = PPP,
Filter-Id = "ISDN",
Fall-Through = no
...
-------------------------------------------
Example: huntgroups
ISDN NAS-IP-Address == 128.165.254.254, NAS-Port == 4473-4495
User-Name == 085407
On Thu, 2004-02-26 at 08:55, Arne Brutschy wrote:
> Hi,
>
> I'm trying to use freeradius with EAP-TTLS and multiple ldap setting.
> Multiple ldap settings because each of them is looking on a different
> access attribute and profile dn attribute. I want to select one of the
> ldap sources for the huntgroup used for wireless clients, the other one
> for the wired clients huntgroup.
>
> As I understood it right, this should work when I set my authorize
> section to:
>
> preprocess
> files
> Autz-Type wiredLDAP {
> wiredLDAP
> }
> eap
>
> In my users file I have:
>
> DEFAULT Service-Type == Framed-User, Huntgroup-Name == "dot1xWired", \
> Autz-Type := wiredLDAP
> NAS-Port-Type = Ethernet,
> Fall-Through = No
>
> So I thought the request will be go through the authorize section, first
> preprocessing the huntgroups, then selecting the DEFAULT entry in the
> users file, adding Autz-Type as check-items and selecting the
> appropriate Autz-Type based on that item.
>
> However, this doesn't work when I'm using TTLS, where it works only when
> I have an authorize section like this:
>
> preprocess
> files
> wiredLDAP
> eap
>
> I think it might have something to do with the eap-ttls module proxying
> the request back to the localhost, now using the requestitems from
> inside the tunnel. If the ldap section gets executed in any case (as in
> the second auth section) it works just fine. When I'm using the first
> auth section, I get a "no Auth-Type found for this request" error,
> because no ldap section was processed.
>
> Has anyone encountered problems like this? Is this a bug/not available
> feature or just a stupid misconfiguration?
>
>
> Regards,
> Arne
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
