On Fri, 24 May 2002, E. Larry Lidz wrote:
>
> Hello,
>
> We're using freeradius to authenticate and authorize connections to a
> VPN concentrator. We're basically using freeradius to pass through
> queries to an LDAP server using the rlm_ldap module. It appears that we
> can set an access_attribute so that users without aren't authorized...
> however, we'd really like to do the reverse: all users are authorized
> by default unless they have an attribute set which rejects them.
There isn't one handy. You could use the following filter though:
filter = "(&(uid=%u)(!(rejectattr=TRUE)))"
>
> Is there any way to do this?
>
> Further, in the future we might want to channel other authentications
> through the same free radius server (for example, for a modem
> pool). We'd really like to have the modem pool check a different
> attribute in LDAP for authorization so that we can suppress access to
> one of the two without suppressing access to both.
You could just create two instances of the ldap module and select them using
Autz-Type like this:
users file:
DEFAULT Called-Station-Id == "4673726", Autz-Type := Ldap1
DEFAULT Called-Station-Id == "6784543", Autz-Type := Ldap2
radiusd.conf:
authorize{
files
autztype Ldap1{
ldap1
}
autztype Ldap2{
ldap2
}
}
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
>
> Is this possible?
>
> Many thanks,
> -Larry
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
