Dear listmembers, I have following setup:
- Centos 6.4 - freeradius version: radiusd: FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 - authorization & authentication in ldap (openldap) What I am trying to achieve is: - manage radius profiles completely in ldap with replyItems - return reply Items of multiple profiles to a user if he belongs to multiple profiles Example RADIUS Profiles: dn: uid=aosReadWrite,ou=profiles,ou=radius,dc=example,dc=com cn: AOS Read-Write objectClass: radiusObjectProfile objectClass: radiusProfile uid: aosReadWrite radiusReplyItem: Alcatel-Access-Priv += "Alcatel-Read-Priv" radiusReplyItem: Alcatel-Access-Priv += "Alcatel-Write-Priv" radiusReplyItem: Alcatel-Access-Priv += "Alcatel-Admin-Priv" radiusReplyItem: Alcatel-Acce-Priv-F-W1 = 0xffffffff radiusReplyItem: Alcatel-Acce-Priv-F-W2 = 0xffffffff dn: uid=sosReadWrite,ou=profiles,ou=radius, dc=example,dc=com cn: screenOS Read-Write objectClass: radiusObjectProfile objectClass: radiusProfile uid: sosReadWrite radiusReplyItem: NS-Admin-Privilege = "Root-Admin" Example RADIUS User: dn: uid=hachmer,ou=users,ou=radius,dc=example,dc=com cn: Tobias Hachmer givenName: Tobias mail: tobias.hach...@stadt-frankfurt.de radiusServiceType: Administrative-User sn: Hachmer uid: hachmer objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile userPassword:: ... radiusGroupName: aosReadWrite radiusGroupName: sosReadWrite I don't know how to configure FreeRADIUS to read the "radiusGroupName" attribute and attach the configured return Items to the return list. Using unlang I am able to do this: if(Ldap-Group == "cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com") { update reply { Alcatel-Access-Priv = Alcatel-Read-Priv Alcatel-Access-Priv += Alcatel-Write-Priv Alcatel-Access-Priv += Alcatel-Admin-Priv Alcatel-Acce-Priv-F-W1 := 0xffffffff Alcatel-Acce-Priv-F-W2 := 0xffffffff Alcatel-Asa-Access := All } } if(Ldap-Group == "cn=sosReadWrite,ou=groups,ou=radius, dc=example,dc=com ") { update reply { NS-Admin-Privilege := Root-Admin } } This is working fine but has the disadvantage that I have to configure the return items static into freeradius configuration files. I want to manage these profiles also in ldap. Is this possible? Kind regards, Tobias Hachmer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html