On Sat, 24 Jan 2004 11:39:33 -0500
"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> > AFAIUI this variable is not available and I have to create it
> > myself.
>
> No... the Realm attribute is created by the realm module.
ok
> > I
> > succeeded to run a shell-script that outputs the realm on stdout
> > when a user authenticates. But I can't get it clear from the doc how
> > to put this output in %{Realm}. According to the docs I have to have
> > a line like this:
> >
> > Attribute-Name = `{%exec:/path/to/program args}`
>
> Ok... but I don't see why you'd run a script to do that.
>
> > So I should have something like this:
> >
> > Realm = `{%exec:/usr/local/scripts/realmgrep}`
> >
> > But where do I have to put this line? If I put this line in the
> > instanciate or authorize, radiusd complains:
>
> Yes... because those parts of the configuration file take module
> names, not attributes.
That's what radiusd -X tells me as well ;-)
> > so I think this line has to be put somewhere else. I tried the ldap
> > configuration section, but without success.
>
> I have no clue why you'd try to put it in the ldap section.
I want to use 1 front-end FR for a set of both LDAP and RADIUS servers
for authentication and use realms to distiguish between the
auth-servers:
+--> RADIUS1
|
user -> FR ->-+--> RADIUS2
|
+--> LDAP1
|
+--> LDAP2
|
+--> LDAP3
The radius to radius proxy with realms works fine, no problem. The
radius to LDAP part works fine as well, very nice piece of work! But
I'd like to use realms to check wether a user should authenticate
against LDAP1, LDAP2 or LDAP3:
[EMAIL PROTECTED] --> LDAP1
[EMAIL PROTECTED] --> LDAP2
[EMAIL PROTECTED] --> LDAP3
It is not possible for me to merge LDAP1, LDAP2 and LDAP3 into 1 LDAP,
they're independent servers. But AFAIUI I can't use the realm module to
connect directly to LDAP servers. I can of course put an extra FR in
front of each LDAP, but I'd rather use LDAP/TLS instead of sending
UDP/1812 over the internet ;-)
So I was wondering if I could connect to different LDAP servers
using TLS and to different groups/ou's using realms. That's why I
thought that an external script might be useful. It's not for a big ISP
btw, so there are no high-load issues.
> What's wrong with using the "realm" module, which comes configured
> to do realms?
Because in proxy.conf I see a "type" entry which is always set to
"radius", but I can't find which types are allowed here. You mean that a
"type = ldap" is possible here? And if yes, what syntax should be used?
realm isp2.com {
type = radius
authhost = radius.isp2.com:1645
accthost = radius.isp2.com:1646
secret = TheirKey
}
I tried the following now, I put "exec" in the instantiate part of
radiusd.conf like the doc says. Then, in the ldap module section I
replaced the line "basedn" with the exec of the script (which outputs
the right output on stdout, something like "ou=test,dc=example,dc=com")
ldap ldap_test {
server = "localhost"
basedn = `{%exec:/usr/local/scripts/realmgrep}`
but radiusd -X tells:
rlm_ldap: performing user authorization for user123
radius_xlat: '(uid=user123)'
WARNING: Unknown variable '%e': See 'doc/variables.txt'
radius_xlat: '{%exec:/usr/local/scripts/realmgrep}'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in {%exec:/usr/local/scripts/realmgrep},
with filter (uid=user123) rlm_ldap: ldap_search() failed: Invalid DN
syntax
Apparently I still miss something crucial somewhere :(
R.
--
___________________________________________________________________
Recursion: see recursion
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
