I am already using AddToReplyIfNotExist for the standard RADIUS attributes, but that is not quite suitable for user profiles. Each of our users has a serviceType which defines which type of service they pay for. For example, some of these users are what we call "daytimers" because they are only allowed in off-peak hours. Other service types have unique reply items to enforce the service policies. What I want to do is detect from AuthBY LDAP2 that serviceType=DAY (using a request item), and requery LDAP to retrieve the necessary reply items (Time, Session-Timeout) from a service template found in a calculated DN (serviceType=%{serviceType},...o=Top). I'm pretty sure I know how to configure all of this, except that I can't find a way to perform the second LDAP query for the service template. The LDAP2 module requires a userPassword which would never match in a template. Perhaps a new AuthBy LDAP2 parameter could disable the password check, allowing additional check/reply items to be applied? I would like to keep the profiles in LDAP for centralization and simplified maintenance, but if worse came to worse I suppose I could have it fall through to a flat 'users' file as documented in "goodies/profiles.txt". (Does this sound reasonable?) Thanks, Carl Litt Network Administrator Execulink Internet On Tue, 3 Apr 2001, Hugh Irvine wrote: > > Hello Carl - > > Why not just use an AddToReply in the AuthBy clause? > > Section 6.16.7 in the Radiator 2.18 reference manual. > > hth > > Hugh > > At 14:20 -0400 01/4/2, Carl Litt wrote: > >I am trying to configure a DEFAULT user with AuthBy LDAP2. I want to > >to authenticate the Access-Request via LDAP2, then retrieve a DEFAULT user > >with LDAP2 which contains the necessary reply items. This is on my > >way to using account profiles matched by LDAP request items. > > > >The only problem is that AuthBy LDAP2 always expects to authenticate the > >user with a password. The documentation (6.33.9) states that PasswordAttr > >or EncryptedPasswordAttr are required in the LDAP configuration. I did > >try it without PasswordAttr, but I get an LDAP_PARAM_ERROR. Obviously > >this won't let me lookup a DEFAULT user record. I think I remember some > >talk of how to do this with other AuthBy methods? > > > >My question is: How can I use LDAP2 to append profiled (or DEFAULT) > >reply items to an Access-Accept? > > > >Here is what my config looks like right now: > > > ><AuthBy LDAP2> > > # Authenticate the Access-Request from LDAP > > # (This all works fine) > > Identifier LDAP-login > > ... > ></AuthBy> > > > ><AuthBy LDAP2> > > # Fetch the DEFAULT user's reply items > > Identifier LDAP-DEFAULT > > ... > > SearchFilter > > (&(objectclass=radiusAccount)([EMAIL PROTECTED])) > > UsernameAttr mailLocalAddress > > AuthAttrDef radiusReplyItem,GENERIC,reply > ></AuthBy> > > > ><AuthBy GROUP> > > Identifier genericLDAP > > AuthByPolicy ContinueWhileAccept > > AuthBy LDAP-login > > AuthBy LDAP-DEFAULT > ></AuthBy> > > > >Thanks, > > > >Carl Litt > >Network Administrator > >Execulink Internet > > > > > > > > > >=== > >Archive at http://www.starport.net/~radiator/ > >Announcements on [EMAIL PROTECTED] > >To unsubscribe, email '[EMAIL PROTECTED]' with > >'unsubscribe radiator' in the body of the message. > > === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.