Hello Carl -
Yes, I understand what you want to do. I am sure that it can be done
from LDAP because some of our customers do this.
Have a look at the archive site:
http://www.starport.net/~radiator/2000-11/msg00000.html
I'm sure there are other postings on this topic as well.
hth
Hugh
At 12:41 -0400 01/4/3, Carl Litt wrote:
>I am already using AddToReplyIfNotExist for the standard RADIUS
>attributes, but that is not quite suitable for user profiles.
>
>Each of our users has a serviceType which defines which type of service
>they pay for. For example, some of these users are what we call
>"daytimers" because they are only allowed in off-peak hours. Other
>service types have unique reply items to enforce the service policies.
>
>What I want to do is detect from AuthBY LDAP2 that serviceType=DAY
>(using a request item), and requery LDAP to retrieve the necessary reply
>items (Time, Session-Timeout) from a service template found in a
>calculated DN (serviceType=%{serviceType},...o=Top).
>
>I'm pretty sure I know how to configure all of this, except that I can't
>find a way to perform the second LDAP query for the service template.
>The LDAP2 module requires a userPassword which would never match in a
>template. Perhaps a new AuthBy LDAP2 parameter could disable the
>password check, allowing additional check/reply items to be applied?
>
>I would like to keep the profiles in LDAP for centralization and
>simplified maintenance, but if worse came to worse I suppose I could
>have it fall through to a flat 'users' file as documented in
>"goodies/profiles.txt". (Does this sound reasonable?)
>
>Thanks,
>Carl Litt
>Network Administrator
>Execulink Internet
>
>
>On Tue, 3 Apr 2001, Hugh Irvine wrote:
>
>>
>> Hello Carl -
>>
>> Why not just use an AddToReply in the AuthBy clause?
>>
>> Section 6.16.7 in the Radiator 2.18 reference manual.
>>
>> hth
>>
>> Hugh
>>
>> At 14:20 -0400 01/4/2, Carl Litt wrote:
>> >I am trying to configure a DEFAULT user with AuthBy LDAP2. I want to
>> >to authenticate the Access-Request via LDAP2, then retrieve a DEFAULT user
>> >with LDAP2 which contains the necessary reply items. This is on my
>> >way to using account profiles matched by LDAP request items.
>> >
>> >The only problem is that AuthBy LDAP2 always expects to authenticate the
>> >user with a password. The documentation (6.33.9) states that PasswordAttr
>> >or EncryptedPasswordAttr are required in the LDAP configuration. I did
>> >try it without PasswordAttr, but I get an LDAP_PARAM_ERROR. Obviously
>> >this won't let me lookup a DEFAULT user record. I think I remember some
>> >talk of how to do this with other AuthBy methods?
>> >
>> >My question is: How can I use LDAP2 to append profiled (or DEFAULT)
>> >reply items to an Access-Accept?
>> >
>> >Here is what my config looks like right now:
>> >
>> ><AuthBy LDAP2>
>> > # Authenticate the Access-Request from LDAP
>> > # (This all works fine)
>> > Identifier LDAP-login
>> > ...
>> ></AuthBy>
>> >
>> ><AuthBy LDAP2>
>> > # Fetch the DEFAULT user's reply items
>> > Identifier LDAP-DEFAULT
>> > ...
>> > SearchFilter
>> > (&(objectclass=radiusAccount)([EMAIL PROTECTED]))
>> > UsernameAttr mailLocalAddress
>> > AuthAttrDef radiusReplyItem,GENERIC,reply
>> ></AuthBy>
>> >
>> ><AuthBy GROUP>
>> > Identifier genericLDAP
>> > AuthByPolicy ContinueWhileAccept
>> > AuthBy LDAP-login
>> > AuthBy LDAP-DEFAULT
>> ></AuthBy>
>> >
>> >Thanks,
>> >
>> >Carl Litt
>> >Network Administrator
>> >Execulink Internet
>> >
>> >
>> >
>> >
>> >===
>> >Archive at http://www.starport.net/~radiator/
>> >Announcements on [EMAIL PROTECTED]
>> >To unsubscribe, email '[EMAIL PROTECTED]' with
>> >'unsubscribe radiator' in the body of the message.
>>
>>
>
>
>===
>Archive at http://www.starport.net/~radiator/
>Announcements on [EMAIL PROTECTED]
>To unsubscribe, email '[EMAIL PROTECTED]' with
>'unsubscribe radiator' in the body of the message.
--
NB: I am travelling this week, so there may be delays in our correspondence.
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
