I find it difficult to get things authorized (Autz-type) because an entry that is not in LDAP does not get rejected. If the entry is in LDAP it can be rejected with the "access_attr_used_for_allow = yes". NOTE: you should use the defaults instead of my test values in the following examples.
Example: radiusd.conf modules { ... ldap ISDN_Users { server = "ldap.lanl.gov" net_timeout = 1 timeout = 4 timelimit = 3 ldap_connections_number = 1 access_attr = "employeeNumber" basedn = "dc=lanl,dc=gov" filter="(&(objectClass=person)(employeeNumber=%{Stripped-User-Na me:-%{User-Name}}))" groupname_attribute = "" groupmembership_filter = "" groupmembership_attribute = "" start_tls = no access_attr_used_for_allow = yes } ... ] authorize { preprocess auth_log files ... Autz-Type ISDN2 { ISDN_Users } ... authenticate { krb5 } ------------------------------------------- Example: users ... DEFAULT Huntgroup-Name == "ISDN", Simultaneous-Use := 1, Autz-Type := ISDN2, Auth-type := Kerberos Framed-IP-Address = 255.255.255.254, Service-Type = Framed-User, Framed-Protocol = PPP, Filter-Id = "ISDN", Fall-Through = no ... ------------------------------------------- Example: huntgroups ISDN NAS-IP-Address == 128.165.254.254, NAS-Port == 4473-4495 User-Name == 085407 On Thu, 2004-02-26 at 08:55, Arne Brutschy wrote: > Hi, > > I'm trying to use freeradius with EAP-TTLS and multiple ldap setting. > Multiple ldap settings because each of them is looking on a different > access attribute and profile dn attribute. I want to select one of the > ldap sources for the huntgroup used for wireless clients, the other one > for the wired clients huntgroup. > > As I understood it right, this should work when I set my authorize > section to: > > preprocess > files > Autz-Type wiredLDAP { > wiredLDAP > } > eap > > In my users file I have: > > DEFAULT Service-Type == Framed-User, Huntgroup-Name == "dot1xWired", \ > Autz-Type := wiredLDAP > NAS-Port-Type = Ethernet, > Fall-Through = No > > So I thought the request will be go through the authorize section, first > preprocessing the huntgroups, then selecting the DEFAULT entry in the > users file, adding Autz-Type as check-items and selecting the > appropriate Autz-Type based on that item. > > However, this doesn't work when I'm using TTLS, where it works only when > I have an authorize section like this: > > preprocess > files > wiredLDAP > eap > > I think it might have something to do with the eap-ttls module proxying > the request back to the localhost, now using the requestitems from > inside the tunnel. If the ldap section gets executed in any case (as in > the second auth section) it works just fine. When I'm using the first > auth section, I get a "no Auth-Type found for this request" error, > because no ldap section was processed. > > Has anyone encountered problems like this? Is this a bug/not available > feature or just a stupid misconfiguration? > > > Regards, > Arne > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html