ldap attributes dependent on complex logic - freeradius suitable?

[Tariq Rashid]

i've previously used radiator as it is simple to modify the check and reply
items, especially when the check and reply items depend on some quite
convoluted logic (the flowchart is not simple).

having had an initial look at freeradius and the ldap module - i am reaching
the conclusion that the standard modules and freeradius are not suited to
this task. for simple tasks such as always adding ldap attributes to reply
packets then freeradius seems to be fine. there appears to be no easy way to
encode any complex decision logic in the configuration files. 

(for example, is domain is xxx and dialled number is one of a, b, c or d,
then get ldap attributes and add to reply. another example could be if ldap
attribute exists, then proceed with logic block)... 

the only sensible location for non-trivial decision logic is in a new module
specific to our needs. but would this mean that we have to implement our own
calls to ldap within this module, or could we use the existing ldap module
to get the relevent attributes and then use these values on our own module?
that is ...
   {
call standard ldap module;
...
call our module (which uses values retrieved)
...
}

even my initial look at the ldap module was confusing as the exmaples simpy
connect to the ldap server using the supplied usernamer and password. this
is not what i want, i want to connect using a standard signle username and
use the supplied User-Name to obtain various records...

thoughts, comments appreciated

tariq

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap attributes dependent on complex logic - freeradius suitable?

[Kostas Kalevras]

On Mon, 15 Mar 2004, Tariq Rashid wrote:


 i've previously used radiator as it is simple to modify the check and reply
 items, especially when the check and reply items depend on some quite
 convoluted logic (the flowchart is not simple).

 having had an initial look at freeradius and the ldap module - i am reaching
 the conclusion that the standard modules and freeradius are not suited to
 this task. for simple tasks such as always adding ldap attributes to reply
 packets then freeradius seems to be fine. there appears to be no easy way to
 encode any complex decision logic in the configuration files.

 (for example, is domain is xxx and dialled number is one of a, b, c or d,
 then get ldap attributes and add to reply. another example could be if ldap
 attribute exists, then proceed with logic block)...

You can accomplish most things with multiple ldap module instances, the
Ldap-Profile attribute, ldap xlat, and Autz-Type. I don't think the ldap module
should get more complicated, just use the already existing general
infrastructure. doc/rlm_ldap should clear most of the above things.
If you can find a specific need which can't be handled by such a mechanism then
we can talk about changes to the ldap module.


 the only sensible location for non-trivial decision logic is in a new module
 specific to our needs. but would this mean that we have to implement our own
 calls to ldap within this module, or could we use the existing ldap module
 to get the relevent attributes and then use these values on our own module?
 that is ...
{
 call standard ldap module;
 ...
 call our module (which uses values retrieved)
 ...
 }

 even my initial look at the ldap module was confusing as the exmaples simpy
 connect to the ldap server using the supplied usernamer and password. this
 is not what i want, i want to connect using a standard signle username and
 use the supplied User-Name to obtain various records...

This is wrong, the ldap module will connect with the supplied username/password
for user authentication. Use authorization (ldap attributes extraction) is
performed by connecting to the ldap server with the username/password specified
in the module configuration


 thoughts, comments appreciated

 tariq

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html