Re: grouping services - LDAP

[Rohaizam Abu Bakar]

I've read the doc & do it exactly as suggested and it's working.. 
thanx!!


--haizam
- Original Message - 
From: "Dusty Doris" <[EMAIL PROTECTED]>

To: "FreeRadius users mailing list" 
Sent: Wednesday, July 20, 2005 21:18
Subject: Re: grouping services - LDAP





On Wed, 20 Jul 2005, Rohaizam Abu Bakar wrote:


Hi all,

Using Freeradius 1.0.4 (FB 4.11)


I want to grouping between dialup & adsl... refer to users file below by
if if Ldap-Group ==ADSL is found, should authenticate/authorize by
"ldapadsl" and if not found, assuming dialup user and should
authenticate/authorize by "ldap1/ldap2" (DIALUP)

But the problem, referring to debug log.. doesn't matter whether
Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2 &
ldapadsl i.e checking "adslAccess & dialAcess" atttribute.

What i want is that.. If Ldap-Group ==ADSL is found, it should be
handled by "ldapadsl" and not checking "ldap1/ldap2" and same goes when
not found, it will be handled by "ldap1/ldap2" and not checking
"ldapadsl"


anyone can help.?? thanks


Try using Autz Type as well, there is some documentation on it in the doc
dir.

It might look something like this.

DEFAULT Ldap-Group == "ADSL", Autz-Type := ADSL, Auth-Type := ADSL

DEFAULT Autz-Type := LDAP, Auth-Type := LDAP


#
authorize {
  Autz-Type LDAP {
 redundant {
ldap1
ldap2
}
  }
  Autz-Type ADSL {
ldapadsl
  }
}
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html





- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: grouping services - LDAP

[Dusty Doris]

On Wed, 20 Jul 2005, Rohaizam Abu Bakar wrote:

> Hi all,
>
> Using Freeradius 1.0.4 (FB 4.11)
>
>
> I want to grouping between dialup & adsl... refer to users file below by
> if if Ldap-Group ==ADSL is found, should authenticate/authorize by
> "ldapadsl" and if not found, assuming dialup user and should
> authenticate/authorize by "ldap1/ldap2" (DIALUP)
>
> But the problem, referring to debug log.. doesn't matter whether
> Ldap-Group=ADSL is found or not, it still check at both ldap1/ldap2 &
> ldapadsl i.e checking "adslAccess & dialAcess" atttribute.
>
> What i want is that.. If Ldap-Group ==ADSL is found, it should be
> handled by "ldapadsl" and not checking "ldap1/ldap2" and same goes when
> not found, it will be handled by "ldap1/ldap2" and not checking
> "ldapadsl"
>
>
> anyone can help.?? thanks

Try using Autz Type as well, there is some documentation on it in the doc
dir.

It might look something like this.

DEFAULT Ldap-Group == "ADSL", Autz-Type := ADSL, Auth-Type := ADSL

DEFAULT Autz-Type := LDAP, Auth-Type := LDAP


#
 authorize {
   Autz-Type LDAP {
  redundant {
 ldap1
 ldap2
 }
   }
   Autz-Type ADSL {
 ldapadsl
   }
 }
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

grouping services - LDAP

[Rohaizam Abu Bakar]

Hi all,
 
Using Freeradius 1.0.4 (FB 4.11)
 
 
I want to grouping between dialup & adsl... 
refer to users file below by if if Ldap-Group ==ADSL is found, should 
authenticate/authorize by "ldapadsl" and if not found, assuming dialup user 
and should authenticate/authorize by "ldap1/ldap2" (DIALUP)
 
But the problem, referring to debug log.. doesn't 
matter whether Ldap-Group=ADSL is found or not, it still check at both 
ldap1/ldap2 & ldapadsl i.e checking "adslAccess & dialAcess" 
atttribute.
 
What i want is that.. If Ldap-Group ==ADSL is 
found,  it should be handled by  "ldapadsl" and not checking 
"ldap1/ldap2" and same goes when not found, it will be handled by "ldap1/ldap2" 
and not checking "ldapadsl"
 
 
anyone can help.?? thanks
 
--haizam
 
 
 

##
users file:
 
DEFAULT Ldap-Group == 
"ADSL", Auth-Type := ADSL
 
DEFAULT Auth-Type := 
LDAP
 
#3
Debug:-
 
rlm_ldap: performing search in 
ou=RADIUS,ou=People,dc=jaring,dc=my, with filter 
(&(jaringConnectionType=ADSL)(&(uid=organza)(objectclass=radiusprofile)))rlm_ldap: 
object not found or got ambiguous search resultrlm_ldap: ldap_release_conn: 
Release Id: 0rlm_ldap::ldap_groupcmp: Group ADSL not found or user is not a 
member.    users: Matched entry DEFAULT at line 
147.
.
.
rlm_ldap: checking if remote access for organza is 
allowed by dialupAccess
.
..
rlm_ldap: no adslAccess attribute - access 
denied by default
 
 

authenticate 
{
 
    
Auth-Type LDAP 
{    
redundant 
{    
ldap1    
ldap2    
}    }
 
 
    
Auth-Type ADSL 
{    
ldapadsl    }
}
 
#
authorize {
 
    
redundant 
{    
ldap1    
ldap2    
}    ldapadsl}
 
 
#
ldap ldap1 
{    
server = 
"10.1.1.1"    
basedn = 
"ou=RADIUS,ou=People,dc=jaring,dc=my"    
access_attr = 
"dialupAccess" 
groupname_attribute = 
jaringConnectionType  
groupmembership_filter = 
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"    
}
 
ldap ldap2 
{    
server = 
"10.1.1.2"    
basedn = 
"ou=RADIUS,ou=People,dc=jaring,dc=my"    
access_attr = 
"dialupAccess" 
groupname_attribute = 
jaringConnectionType  
groupmembership_filter = 
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"    
}
 
ldap adsl 
{    
server = 
"10.1.1.3"    
basedn = 
"ou=ADSL,ou=People,dc=jaring,dc=my"    
access_attr = 
"adslAccess" 
groupname_attribute = 
jaringConnectionType  
groupmembership_filter = 
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"    
}

 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html