I am already using AddToReplyIfNotExist for the standard RADIUS
attributes, but that is not quite suitable for user profiles.
Each of our users has a serviceType which defines which type of service
they pay for. For example, some of these users are what we call
"daytimers" because they are only allowed in off-peak hours. Other
service types have unique reply items to enforce the service policies.
What I want to do is detect from AuthBY LDAP2 that serviceType=DAY
(using a request item), and requery LDAP to retrieve the necessary reply
items (Time, Session-Timeout) from a service template found in a
calculated DN (serviceType=%{serviceType},...o=Top).
I'm pretty sure I know how to configure all of this, except that I can't
find a way to perform the second LDAP query for the service template.
The LDAP2 module requires a userPassword which would never match in a
template. Perhaps a new AuthBy LDAP2 parameter could disable the
password check, allowing additional check/reply items to be applied?
I would like to keep the profiles in LDAP for centralization and
simplified maintenance, but if worse came to worse I suppose I could
have it fall through to a flat 'users' file as documented in
"goodies/profiles.txt". (Does this sound reasonable?)
Thanks,
Carl Litt
Network Administrator
Execulink Internet
On Tue, 3 Apr 2001, Hugh Irvine wrote:
>
> Hello Carl -
>
> Why not just use an AddToReply in the AuthBy clause?
>
> Section 6.16.7 in the Radiator 2.18 reference manual.
>
> hth
>
> Hugh
>
> At 14:20 -0400 01/4/2, Carl Litt wrote:
> >I am trying to configure a DEFAULT user with AuthBy LDAP2. I want to
> >to authenticate the Access-Request via LDAP2, then retrieve a DEFAULT user
> >with LDAP2 which contains the necessary reply items. This is on my
> >way to using account profiles matched by LDAP request items.
> >
> >The only problem is that AuthBy LDAP2 always expects to authenticate the
> >user with a password. The documentation (6.33.9) states that PasswordAttr
> >or EncryptedPasswordAttr are required in the LDAP configuration. I did
> >try it without PasswordAttr, but I get an LDAP_PARAM_ERROR. Obviously
> >this won't let me lookup a DEFAULT user record. I think I remember some
> >talk of how to do this with other AuthBy methods?
> >
> >My question is: How can I use LDAP2 to append profiled (or DEFAULT)
> >reply items to an Access-Accept?
> >
> >Here is what my config looks like right now:
> >
> ><AuthBy LDAP2>
> > # Authenticate the Access-Request from LDAP
> > # (This all works fine)
> > Identifier LDAP-login
> > ...
> ></AuthBy>
> >
> ><AuthBy LDAP2>
> > # Fetch the DEFAULT user's reply items
> > Identifier LDAP-DEFAULT
> > ...
> > SearchFilter
> > (&(objectclass=radiusAccount)([EMAIL PROTECTED]))
> > UsernameAttr mailLocalAddress
> > AuthAttrDef radiusReplyItem,GENERIC,reply
> ></AuthBy>
> >
> ><AuthBy GROUP>
> > Identifier genericLDAP
> > AuthByPolicy ContinueWhileAccept
> > AuthBy LDAP-login
> > AuthBy LDAP-DEFAULT
> ></AuthBy>
> >
> >Thanks,
> >
> >Carl Litt
> >Network Administrator
> >Execulink Internet
> >
> >
> >
> >
> >===
> >Archive at http://www.starport.net/~radiator/
> >Announcements on [EMAIL PROTECTED]
> >To unsubscribe, email '[EMAIL PROTECTED]' with
> >'unsubscribe radiator' in the body of the message.
>
>
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
