>> We are attempting to authenticate multiple users based on which >> Called-Station-ID or NAS-IP-Address. We would like to dynamically build >> the LDAP search filter based on the originating source. Is this >> possible? > > Yes.
Those two docs (variables and the users man page) were what i needed to glaze through a bit more carefully. A non-standard attribute was being called and it wasn't defined in the dictionary (User-Class). Also the AV pair should have gone on the check line, instead of the reply lines. My reply packets have no use for what I'm doing internally.
DEFAULT Called-Station-ID =~ "8888$|7777$", Auth-Type := LDAP, User-Class = "ourDialup"
Fall-Through = No
For my radiusd.conf file, I defined the ldap filter as: filter = "(&(uid=%{User-Name})(userClass=%{check:User-Class}))"
The dictionary had this line added to it:
ATTRIBUTE User-Class 3003 string
Our goal was to avoid defining an additional object class, groups/profiles and adding additional AVs to the user's directory entry. All we needed for authorization is a valid username and an attribute, which we described as "user-class" and assigned a value to it, like "PPP" or "wireless". It works well.
Thanks to all who responded.
Jay
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html