Hello Enrique -
You can use whatever LDAP attribute name you wish, and if you use the "Auth-Type = nnnnnnn" format for the value of the attribute you can use a GENERIC check item to refer the authentication to another AuthBy clause.
Something like this:
# define AuthBy clauses
<AuthBy SYSTEM>
Identifier CheckSystem
....
</AuthBy>
<AuthBy RADIUS>
Identifier ForwardToProxy
.....
</AuthBy>
<AuthBy ACE>
Identifier CheckAce
.....
</AuthBy>
<AuthBy LDAP2>
Identifier CheckLDAP
.....
AuthAttrDef authTypeObject, GENERIC, check
.....
</AuthBy>
.....
# define Realms or Handlers
<Handler ....>
AuthBy CheckLDAP
......
</AuthBy>
.....
Then each of the user records in the LDAP database would contain something like this in the authTypeObject field:
Auth-Type = CheckSystem
or
Auth-Type = ForwardToProxy
or
Auth-Type = CheckAce
Hope that helps.
regards
Hugh
On Tuesday, Jan 28, 2003, at 00:24 Australia/Melbourne, Enrique Diez wrote:
Hi All,
I would like to know if there is an LDAP-Attribute (customized or
standarized) in order to define the kind of authentication required for an
user entry.
For example, a user LDAP entry can be validated by the Radiator Radius
Server via /etc/unix/password or a remote radius or ACE/SERVER according to
the value of an "Auth-type" LDAP attribute.
Another question is : where can I get the perl script for installing the
Authen-ACE module? I would like to test interoperability with ACE/SERVER.
Can I get some help from this marvellous mailing list:))
Regards,
Enrique
-----Mensaje original-----
De: Enrique Diez Fernandez [mailto:[EMAIL PROTECTED]]
Enviado el: viernes, 24 de enero de 2003 20:03
Para: [EMAIL PROTECTED]
Asunto:
Hi All,
I am trying to configure my radiator radius server in order to check an ldap
entry and verify an attribute of that server.
I want to check if the attribute "authmethod" value is "ace" or "none". In
case of "ace", I want the server to reject the authentication request.
The configuration of the server is below:
" <AuthBy LDAP2>
Host 192.168.70.134
Port 389
AuthDN cn=Directory Manager
# AuthPassword yourADadminpasswordhere
AuthPassword qwerty123
BaseDN ou=area3,o=davinci,st=Madrid,c=es
UsernameAttr uid
PasswordAttr userPassword
AuthAttrDef authmethod,NO-ACE-Server,check
</AuthBy>
".
I have added to the user config file the line :
DEFAULT NO-ACE-Server = "none".
I have added to the "Check items" in the dictionary file the following line:
" ATTRIBUTE NO-ACE-Server 90480019 string"
When I tried to access, with the user = Albertoj which authmethod value =
ace, I would like to get an accept-request response from the radius but I
got the following debug:
" Code: Access-Request
Identifier: 2
Authentic: 1043434427
Attributes:
User-Name = "albertoj"
User-Password =
"oPW<204><169><11>1f<23>=<164><26><29><224><182><179>"
Fri Jan 24 19:53:47 2003: DEBUG: Handling request with Handler 'Realm='
Fri Jan 24 19:53:47 2003: DEBUG: Deleting session for albertoj,
192.168.70.11
Fri Jan 24 19:53:47 2003: DEBUG: Handling with Radius::AuthLDAP2:
Fri Jan 24 19:53:47 2003: INFO: Connecting to 192.168.70.134, port 389
Fri Jan 24 19:53:47 2003: INFO: Attempting to bind with cn=Directory
Manager,
erty123 (server 192.168.70.134:389)
Fri Jan 24 19:53:47 2003: DEBUG: LDAP got result for cn=Alberto
Juarez,ou=area
o=davinci,st=Madrid,c=es
Fri Jan 24 19:53:47 2003: DEBUG: LDAP got userPassword:
{SSHA}VpP5xc7VlLwrp0mF
5kaCC6eGPuPU8wq34ffw==
Fri Jan 24 19:53:47 2003: DEBUG: LDAP got authmethod: ace
Fri Jan 24 19:53:47 2003: DEBUG: Radius::AuthLDAP2 looks for match with
albert
Fri Jan 24 19:53:47 2003: DEBUG: Radius::AuthLDAP2 REJECT: Check item
NO-ACE-S
ver expression 'ace' does not match '' in request
Fri Jan 24 19:53:47 2003: INFO: Connecting to 192.168.70.134, port 389
Fri Jan 24 19:53:47 2003: INFO: Attempting to bind with cn=Directory
Manager,
erty123 (server 192.168.70.134:389)
Fri Jan 24 19:53:47 2003: DEBUG: No entries for DEFAULT found in LDAP
database
Fri Jan 24 19:53:47 2003: INFO: Access rejected for albertoj: Check item
NO-AC
Server expression 'ace' does not match '' in request
Fri Jan 24 19:53:47 2003: DEBUG: Packet dump:
*** Sending to 192.168.70.116 port 1221 ....
Code: Access-Reject
Identifier: 2
Authentic: 1043434427
Attributes:
Reply-Message = "Request Denied""
Is there anything I am missing?
Any documentation about the LDAP documentation checks?
Regards,
Enrique
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
