I'm not really sure if I'm doing this right, maybe someone can provide
guidance. I have two problems a) how to structure my directory and b) how to do
two lookups in rlm_ldap.
But, effectively, LDAP is our authorization store and I'm proxying RADIUS to an
RSA server for authentication only. We're removing all authorization from RSA.
So, I've got devices in ou=Hosts,dc=blah,dc=com that are following the ipHost
objectClass. Basically, I need a mechanism to put those devices into
'groupOfIpHosts' - which isn't a real concept.
So, I use the 'seeAlso' attribute to reference a group of systems for that
particular ipHost.
Then, I lookup that group and check if the user authenticating is a
uniqueMember in that group.
So, I'm basically doing two ldap lookups. Right now, I'm doing it in an
rlm_perl module which has obvious disadvantages (ldap persistence).
So
a) is there a better way to structure my directory?
b) can I do multiple ldap lookups using rlm_ldap to achieve same end goal?
LDAP calls looks like this now
1) get the hosts group
$mesg = $ldap->search(
base => "ou=Hosts,dc=comcast,dc=com",
filter => "(&(ipHostNumber=$ipaddress))",
attrs => ["seeAlso"],
);
## returns group membership into $group
2) verify user in group
$mesg = $ldap->search (
base => $group,
filter =>
qq{(&(uniqueMember=uid=$username,ou=users,dc=comcast,dc=com))},
attrs => ["uniqueMember"],
);
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
