On Wed, May 26, 2010 at 05:27:47PM +0800, Stephon Chen wrote:
> I've used freeradius as the front of a LDAP server.
>
> Here, I want to allow different access rights for each LDAP group & client
> ip address
> For example below:
>
> user X in LDAP group A, from ip IP-A
> user Y in LDAP group B, from ip IP-B
>
> if the user is from IP-A and user in LDAP group A, then send Accept-Accept
> packet
>
> How do this be done with freeradius?
Read the group attribute from LDAP and put it into a RADIUS attribute (cf.
ldap.attrmap), and then check its value in the post-auth section using
some unlang comparison. If you keep the list of IP-A, IP-B, ... in LDAP,
you can use the same source; otherwise keep a static list or do an SQL
lookup or whatever.
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
