On Mon, 15 Mar 2004, Tariq Rashid wrote:
>
> i've previously used radiator as it is simple to modify the check and reply
> items, especially when the check and reply items depend on some quite
> convoluted logic (the flowchart is not simple).
>
> having had an initial look at freeradius and the ldap module - i am reaching
> the conclusion that the standard modules and freeradius are not suited to
> this task. for simple tasks such as always adding ldap attributes to reply
> packets then freeradius seems to be fine. there appears to be no easy way to
> encode any complex decision logic in the configuration files.
>
> (for example, is domain is xxx and dialled number is one of a, b, c or d,
> then get ldap attributes and add to reply. another example could be if ldap
> attribute exists, then proceed with logic block)...
You can accomplish most things with multiple ldap module instances, the
Ldap-Profile attribute, ldap xlat, and Autz-Type. I don't think the ldap module
should get more complicated, just use the already existing general
infrastructure. doc/rlm_ldap should clear most of the above things.
If you can find a specific need which can't be handled by such a mechanism then
we can talk about changes to the ldap module.
>
> the only sensible location for non-trivial decision logic is in a new module
> specific to our needs. but would this mean that we have to implement our own
> calls to ldap within this module, or could we use the existing ldap module
> to get the relevent attributes and then use these values on our own module?
> that is ...
> {
> call standard ldap module;
> ...
> call our module (which uses values retrieved)
> ...
> }
>
> even my initial look at the ldap module was confusing as the exmaples simpy
> connect to the ldap server using the supplied usernamer and password. this
> is not what i want, i want to connect using a standard signle username and
> use the supplied User-Name to obtain various records...
This is wrong, the ldap module will connect with the supplied username/password
for user authentication. Use authorization (ldap attributes extraction) is
performed by connecting to the ldap server with the username/password specified
in the module configuration
>
> thoughts, comments appreciated
>
> tariq
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
