On Wed, May 26, 2010 at 05:27:47PM +0800, Stephon Chen wrote: > I've used freeradius as the front of a LDAP server. > > Here, I want to allow different access rights for each LDAP group & client > ip address > For example below: > > user X in LDAP group A, from ip IP-A > user Y in LDAP group B, from ip IP-B > > if the user is from IP-A and user in LDAP group A, then send Accept-Accept > packet > > How do this be done with freeradius?
Read the group attribute from LDAP and put it into a RADIUS attribute (cf. ldap.attrmap), and then check its value in the post-auth section using some unlang comparison. If you keep the list of IP-A, IP-B, ... in LDAP, you can use the same source; otherwise keep a static list or do an SQL lookup or whatever. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html