Why don't you use groups?
-----Original Message-----
From: Steve Tolman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 1:25 PM
To: [EMAIL PROTECTED]
Subject: LDAP Attributes
Hello,
I am using FreeRadius 0.5 and need to be able to Authorize users based
on an LDAP attribute. I would like the attribute to be able to have
multiple integer values that would indicate access level, ie. LDAP
attribute dslaccesslevel = 500, dslaccesslevel = 100. Different users
would be allowed different access rights based on this attribute.
I have not been able to get FreeRadius to Authorize based on this
attribute. Here is a copy of my relavent config files and debug output.
I added the Attribute dslaccesslevel as an integer type in the
dictionary file.
Thanks in advance for any help.
Users File
#
#
DEFAULT dslaccesslevel == "500", Auth-Type := Accept
#
#
DEFAULT Auth-Type := REJECT
Radiusd.conf Authorize / Authenticate
authorize {
preprocess
# counter
# attr_filter
# eap
ldap
suffix
files
# mschap
}
# Authentication.
#
#
authenticate {
# pam
# unix
ldap
# mschap
# eap
}
DEBUG OUTPUT
rad_recv: Access-Request packet from host 134.135.136.137.46:1027,
id=46, length=112
User-Name = "testuser2"
User-Password = "\254\233\3247'\030\233E\200C"\nc\235\013e"
NAS-IP-Address = 134.135.136.137
NAS-Identifier = "SMS_TestLab"
NAS-Port = 3
Service-Type = Framed-User
Framed-Protocol = PPP
Attr-1111621635 = "00d0592a8449"
NAS-Port-Type = Virtual
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testuser2
radius_xlat: '(uid=testuser2)'
radius_xlat: 'o=isu.edu'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to test.isu.edu:389, authentication 0
rlm_ldap: bind as /
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in o=isu.edu, with filter (uid=testuser2)
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding dslaccesslevel as dslaccesslevel, value 500 & op=11
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding dslaccesslevel as dslaccesslevel, value 500 & op=11
rlm_ldap: user testuser2 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 157
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type REJECT
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 46 to 134.135.136.137:1027
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 46 with timestamp 3c9a1da3
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
