LDAP Profiles

[Jarred Cleem]

Thanks for the reply Dustin!  I believe what you describe will work just fine.    Not sure how to ask my next question so I will try my best.  We have some users who receive static IP addresses and other special attributes that are unique to only that user.  Then we have some who receive the same attributes and attribute values as the next person.  The big difference is those users who receive a static IP verses a dynamic IP out of the DHCP pool.  It is my understanding that after LDAP has verified the user it tells RADIUS all the group info.  RADIUS then goes through the RADIUS Groups info and tries to find the first match.  Once the match is found RADIUS then returns to the NAS the attributes for the profile not the actual user attributes.  How do I setup the servers so that sometimes it returns the profile info (in the case of DHCP type customers) and sometimes returns specific attributes (in the case of static IP customers)?   Thanks for your help in advance.   -- Jarred F. Cleem IS Manager Multiband 2000 44th Street SW Fargo, ND 58103 (W) 701-281-5376     (F)701-492-5376         >>>Message: 6 >>>Date: Mon, 7 Mar 2005 09:20:43 -0500 (EST) >>>From: Dustin Doris <[EMAIL PROTECTED]> >>>To: freeradius-users@lists.freeradius.org >>>Subject: Re: LDAP Profiles >>>Reply-To: freeradius-users@lists.freeradius.org   >> On Sun, 6 Mar 2005, Jarred Cleem wrote: >>  >> > Hello all; > > > > I am tying to put together an openLDAP/FreeRadius implementation for a > > multitude of services we provide.  We are currently providing high speed > > cable modem services, local dial-up, national dial-up, Motorola Canopy > > Wireless, DSL, ISDN, extended Ethernet, Ethernet over power and a few > > other ISP type services.  Currently we have a different AAA platform for > > all of the different services we provide.  I am doing some research and > > setting up a test lab to see if I can get everything to one AAA > > platform.  I think I am close but am looking for some additional help > > with the connectivity between FreeRadius and openLDAP. > > > > I currently have FreeRadius communicating with openLDAP and > > authenticating the user.  However, the LDAP server is giving the RADIUS > > server the wrong profile after authentication.  I am not sure if I > > completely and correctly understand how this works.  It looks as thought > > it is finds the first ldap-group in my "users" file and returns the ldap > > path to the profile.  My problem is that if a user has more then one > > service, say dial-up and DSL, it does not return the right profile.  It > > returns the first match in the "users" file. > > > > How do I get LDAP and FreeRadius to return to the NAS the correct > > profile for the type of service the user is trying to authenticate to? > > > > Below is my configuration information. > > > > openLDAP 2.2.23 > > freeRadius 1.0.2 > > Fedora Core 3 > > > > Current users file > > -------begin users-------------------- > > DEFAULT Ldap-Group == disabled, Auth-Type := Reject > >        Reply-Message = "Account disabled.  Please call the helpdesk." > > > > DEFAULT Ldap-Group == dial, User-Profile := > > "uid=dial,ou=profiles,dc=multiband,dc=us" > >        Fall-Through = no > > > > DEFAULT Ldap-Group == isdn, User-Profile := > > "uid=isdn,ou=profiles,dc=multiband,dc=us" > >        Fall-Through = no > > > > DEFAULT Ldap-Group == dsl-ip, User-Profile := > > "uid=dsl-ip,ou=profiles,dc=multiband,dc=us" > >        Fall-Through = no > > > > DEFAULT Auth-Type := Reject > >        Reply-Message = "Please call the helpdesk." > > ---------------end users------------------------------ >  > With the above configuration if a user is a member on more than one groups then > the first one matched will be the *only* one that will be used. And that *is* > correct behaviour. What i think you need is to also use incoming request > attributes to differentiate services (which you aren't right now). Something > like: >  > DEFAULT   NAS-Port-Type == ISDN, Ldap-Group == isdn, User-Profile := > "uid=isdn,ou=profiles,dc=multiband,dc=us" >     Fall-Through = no >  > DEFAULT   NAS-Port-Type == Virtual, Ldap-Group == dsp-ip, User-Profile := > "uid=dsl-ip,ou=profiles,dc=multiband,dc=us" >    Sometimes you can also know the service based on the nas-ip-address, so its easy to use with huntgroups.   eg:   huntgroups file   dial  nas-ip-address == 1.1.1.1 dial  nas-ip-address == 1.1.1.2 dial  nas-ip-address == 1.1.1.3, nas-port-type == async isdn  nas-ip-address == 1.1.1.3, nas-port-type == isdn adsl  nas-ip-address == 1.1.1.4   What I did there was make 3 nas-ip-addresses in the dial huntgroup.  One of them does both dial and isdn, so I added the additional check-item to it.  One nas-ip is adsl.   Then in the users file.   DEAULT Huntgroup-Name == dial, Ldap-Group == dial, User-Profile := uid=dial...   DEFAULT Huntgroup-Name == isdn, Ldap-Group == isdn, User-Profile := uid=isdn...   etc...   DEFAULT Auth-Type := Reject   What you are doing there is first checking the huntgroup.  If you come from a dial huntgroup, then we will look to see if you have the ldap-group dial which would signal that you get access to dial.  If not, we move on and will eventually hit the reject line.  If you do have dial, we authenticate you and return the dial profile.   Same thing for isdn.  If you are coming from an isdn huntgroup, then we check to see if you have the isdn group, if so we authenticate you, otherwise we move on.   The documentation is getting old, but there is an explanation of that in doc/ldap_howto.txt or at http://doris.cc/radius.   I will be rewriting that in the next few months with more specific radius/ldap stuff, I'll get rid of the OS specific stuff, and add some new things like configurable_failover.  I was hoping to have it done now, but my radius rebuild project got demoted due to marketing trying to push out new products "yesterday".   Hope that helps.   -Dusty Doris