Re: Configuration questions

Chris Parker Wed, 22 Aug 2001 07:29:18 -0700
At 12:15 AM 8/22/2001 -0700, you wrote:

>Greetings list members.
>
>I am testing free radius currently and have a couple questions.
>
>I use the LDAP module for authentication.  I have two realms, each on
>separate DN's.  How can I have two separate ldap configurations?

You can declare them as two separate instances in the config file:

modules {
         ...
         ldap LDAPONE{
                 server = "server1.foobar.biz"
                 # identity = "cn=admin,o=My Org,c=UA"
                 # password = mypass
                 basedn = "o=My Org,c=UA"
                 filter = "(uid=%u)"
                 ...
         }
         ldap LDAPTWO{
                 server = "server2.foobar.biz"
                 # identity = "cn=admin,o=My Org,c=UA"
                 # password = mypass
                 basedn = "o=My Org,c=UA"
                 filter = "(uid=%u)"
                 ...
         }
         ...
}

Then call the modules as LDAPONE and LDAPTWO in the auth sections.  See
the SQL module examples on how to do multiple instances.


>It would be neat to be able to specify ldap_realma { binddn= etc..} and
>then ldap_realmb { binddn= etc..}, then do a fall through type of deal in
>the authenticate block.   Is there current structure for this,
>or do I need a second radius server/implementation to do this properly?

Read the docs, and look at the examples.  This is explained in intricate
detail in 'doc/configurable_failover'.

>Secondly, do we have the ability to send attributes back to specific
>radius clients?  I like to apply SMTP filters to NAS devices via
>attributes such as 242, but this becomes difficult when you have some
>ascend, cisco, portmaster, and cvx boxes on your network.
>
>I need to be able to do attributes X for client A (or maybe client group
>A?) and attributes N for client B.

I have a similar need, as cisco's and pm's require slightly different
syntax for 'Filter-ID' ( appending a .in to cisco's ).  For things other
than that, you can send attributes from other vendors, and they should
be ignored by other vendors.  However, not all vendors read the same
RFC apparently, so this may not be the case, but that's another rant.  :)

For now, there isn't a way to do what you want, but there is a need for
something similar, so have patience and it'll be there.

-Chris
--
    \\\|||///  \  Chris Parker    -    Manager, Development Engineering
    \ ~   ~ /   \       WX *is* Wireless!    \   [EMAIL PROTECTED]
    | @   @ |    \   http://www.starnetwx.net \      (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
                   \ Without C we would have 'obol', 'basi', and 'pasal'


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuration questions

Reply via email to
