We seek to take advantage of FreeRadius 2.0.5's ability to run multiple virtual servers. All our other servers are working except one, which has a complex authentication. As a stand-alone configuration this looks as follows: ################################################################ ## MODULES CONFIGURATION ## ################################################################ modules { ldap dirnet{ server = "directory.sub.main.com" port = 389 identity = "cn=acsAgent,ou=agents,ou=network,dc=main,dc=com" password = xxxxxx basedn = "ou=network,dc=main,dc=com" filter = "(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) " . . . groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Nam e:-%{User-Name}}*)) . . } ldap dirnode{ server = "directory.main.com" port = 389 identity = "cn=wireless-agent,ou=agents,ou=Academic Computing,ou=units,dc=main,dc=com" password = yyyyyyyyyyy basedn = "dc=main,dc=com" filter = "(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) " groupmembership_filter = "(&(objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-Us er-Name:-%{User-Name}}*)) groupmembership_attribute = eduPersonEntitlement groupname_attribute = eduPersonEntitlement access_attr = uid . . . } server { authenticate { ## Use LDAP Authentication Auth-Type DIRNODE { dirnode } Auth-Type DIRNET { dirnet } } authorize { ## Use LDAP Authorization via files config in 'users' files } And the users file looks like
DEFAULT dirnet-Ldap-Group == "cn=AuthorizedGuestVendorMAINAnywhereUsers,ou=IT,ou=groups,ou=network,dc =main,dc=com", Auth-Type := DIRNET Class = "%{dirnet:ldap:///ou=authaccounts,ou=network,dc=main,dc=com?eduPersonEnt itlement?sub?uid=%{User-Name}", Fall-Through = no DEFAULT dirnet-Ldap-Group == "cn=VPNPHONES,ou=IT,ou=groups,ou=network,dc=main,dc=com", Auth-Type := DIRNET Class = "urn:mace:main.com:RINGS:group:main_anywhere:vpnphone", Fall-Through = no DEFAULT User-Profile := "uid=%{Stripped-User-Name:-%{User-Name}},ou=authaccounts,dc=main,dc=com" , Auth-Type := DIRNODE Class = "%{dirnode:ldap:///ou=authaccounts,dc=main,dc=com?eduPersonEntitlement?s ub?uid=%{User-Name}", Fall-Through = no DEFAULT Auth-Type := REJECT Reply-Message = "User Login Rejected" -------------------------- I've gotten as far as: modules { ## LDAP Server configuration ldap { } ## LDAP User-to-Group mapping files { usersfile = ${confdir}/guest_vendor_mainanywhere_users acctusersfile = /dev/null preproxy_usersfile = /dev/null compat = no } } authenticate { ## Use LDAP Authentication (entry in modules/ldap) Auth-Type LDAP { dirnode } Auth-Type LDAP { dirnet } } authorize { ## Use LDAP Authorization via files config in 'users' (entry in modules/ ldap) dirnode dirnet } and the ldap file entries as ldap dirnet { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "directory.sub.main.com" port = 389 identity = "cn=acsAgent,ou=agents,ou=network,dc=main,dc=com" password = xxxxxx basedn = "ou=network,dc=main,dc=com" filter = "(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) " . . . groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Nam e:-%{User-Name}}*)) . . } ldap dirnode{ server = "directory.main.com" port = 389 identity = "cn=wireless-agent,ou=agents,ou=Academic Computing,ou=units,dc=main,dc=com" password = yyyyyyyyyyy basedn = "dc=main,dc=com" filter = "(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) " groupmembership_filter = "(&(objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-Us er-Name:-%{User-Name}}*)) groupmembership_attribute = eduPersonEntitlement groupname_attribute = eduPersonEntitlement access_attr = uid . . . } with the users file intact Any suggestions as to how to configure, especially the "authorize" section to allow trying both dirnode and dirnet would be welcome. (As it is now, dirnode auth works, but dirnet doesn't.) Thank you!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html