Hi,
I was wondering if there's a way to look for users in differents LDAP trees
and/or servers depending of the suffix (@something) in the login. If it's
possible could someone show me the config ?
Thanks in advance.
Sure. First you need to define two ldap configs in radiusd.conf.
Instead of just having ldap {, you define ldap and then a name for each
instance and include all the config entries under it.
ldap ldap1 {
server
basedn
...
}
ldap ldap2 {
...
}
Then in the authorize section you do this.
authorize {
Autz-Type ldap1 {
ldap1
}
Autz-Type ldap2 {
ldap2
}
}
Then in authenticate, you do
authenticate {
Auth-Type ldap1 {
ldap1
}
Auth-Type ldap2 {
ldap2
}
}
Now, in the users file you can specify which to use based on the realm.
Make sure you enable the suffix module to use suffix for realms.
DEFAULT Realm == "somerealm.com", Autz-Type := ldap1, Auth-Type := ldap1
DEFAULT Realm == "otherrealm.com", Autz-Type := ldap2, Auth-Type := ldap2
DEFAULT Auth-Type := Reject
The users file is parsed top to bottom. In this instance say a username
comes over as [EMAIL PROTECTED] It will match on the first line and
will then use your settings in ldap1 for authorization and authentication.
By default you will not fall-through to any other rules.
A user comes in with [EMAIL PROTECTED], it will not match the first and
will fall through to the second line. There it will match and use ldap2.
A user comes in with [EMAIL PROTECTED], it will not match the first
two and hit the last rule, which will reject the user. Of course you
could do something else at this point and maybe make it hit a different
type of authentication for other realms if you'd like.
You can read more in doc/Autz-Type.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
