Dusty, Thanks for your fine input and the reminder on the index (I completely forgot about that). I'll give the ldap module filter a go with the attr_rewrite. I like keeping attributes with the user object, rather than spreading usernames around to various other objects. With this implementation, to me, the extra benefit is that I can just add a radiusGroupName attribute = X to each user object.
BTW, on the attr_rewrite, can I use more advanced regex than just ................: ? It works and always will work, but it would be more clear in the config file if I could say "([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2}):" or something to that effect... I couldn't get ANY regex to work except the . Does that seem right? Stefan > Message: 4 > Date: Mon, 19 Dec 2005 14:52:10 -0500 (EST) > From: Dusty Doris <[EMAIL PROTECTED]> > Subject: Re: Freeradius-Users Digest, Vol 8, Issue 82 > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > On Mon, 19 Dec 2005, Stefan Adams wrote: > > > Hey, guys! Thanks for the great replies!! I like what you suggested > > better than what I've come up with in the mean time. I think what I > > came up with will work, it just seems messy/wrong/inefficient. What > > do you think? > > > > modules { > > ldap { > > : > > filter = > > > >"(&(uid=%{Stripped-User-Name:-%{User-Name}}) > >(radiusGroupName=%{Called-Station-ID}))" > > : > > } > > attr_rewrite getssid { > > attribute = Called-Station-Id > > searchin = packet > > searchfor = ".................:" > > replacewith = "" > > ignore_case = yes > > new_attribute = no > > } > > } > > > > authorize { > > # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2 > > preprocess > > eap > > getssid > > ldap > > } > > > > This cuts off the first 17 bytes and then a colon of the > > Called-Station-ID (My AP transmits a dash separated MAC followed by a > > colon and then the SSID). Then it uses this rewritten > > Called-Station-ID and uses that as a filter in the LDAP search. > > Therefore, if the SSID a user tries to connect to is not listed as an > > attribute of the user's LDAP object, the user is denied. > > > > Does that make sense? > > That's a pretty neat idea. The benefit of that is if you had multiple > ldap instances and wanted to implement fail-over within freeradius. To do > it the traditional way, you would need this for fail-over with ldap-group > checks if say you had two ldap instances. > > DEFAULT Called-Station-Id =~ /studentregex/, ldap1-Ldap-Group == > "students" > > DEFAULT Called-Station-Id =~ /studentregex/, ldap2-Ldap-Group == > "students" > > That is so it will check with ldap1 instance first. If that fails, then > check ldap2. > > By doing it your way, you won't need to do that anymore. Instead a > redundant block in authorize would get you what you need already since the > radiusGroupname inside your search filter takes care of the Ldap-Group > check. > > I wonder if you could use regex matches of Called-Station-ID in the > huntgroups file. You'll have to test this out, I doubt it would work, but > its another interesting idea. I don't know if huntgroups excepts regex > and if it can use things like Called-Station-Id > > in huntgroups > > students Called-Station-Id =~ /studentregex/ > faculty Called-Station-Id =~ /facultyregex/ > > Then in users file. > > DEFAULT Ldap-Group == %{Huntgroup-Name} > > Or you're way. > > (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=%{Huntgroup-Name}))" > > See doc/configurable_failover and doc/rlm_ldap to see what I'm talking > about with the failover. If you have a load balancer in front of that > ldap server, you won't need to worry about it. But if you don't and you > want to add redundancy, then its something you'll need to think about some > day. Freeradius can do the redundancy for you w/out a load balancer or > shared IP using configurable failover. Actually in the upcoming 1.1 > release it will also do load balancing for you in addition to failover > inside your ldap blocks. > > Hope I'm not too confusing. My point is I like your idea and if its > working for you, it doesn't sound like a bad one to me. You might want to > try hitting it hard to see if the rewrite slows anything down, but I would > bet it doesn't. > > I'd also make sure to add an eq index to radiusgroupname, since you'll be > using that as part of your search filter. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html