Sylvain Robitaille wrote: > > I'm back. Small reminder, since it appears that list members are > helping a sufficient number of folks that remembering my particular > setup would be non-trivial:
I have trouble remembering messages from 10 minutes ago. It's easier that way. ... > - My configuration files are nearly "stock", with the exception of the > necessary configuration to get the ldap module talking to the LDAP > server. > - This setup has been running like this now for a couple of days > without any trouble. And yes, it really is that easy. (That's mostly for the people who think it's hard... because they butcher the default configs.) > What I'm aiming to accomplish, however, is that the FreeRADIUS server > will authorize users for different services based on a slightly > different LDAP query. The users are in various groups, which can be > checked by supplying an LDAP query filter that checks the "memberOf" > attribute; Users in group "wireless" should be permitted to use the > wireless service; users in group "vpn" should be able to use the VPN > service; users in both groups could use either, and users in neither > group should be refused for either, etc. You should be able to do this with multiple LDAP modules, or maybe by dynamically editing the ldap query. >... Running radiusd in debug mode shows that the > ldap module is using the configuration for its un-named instance (the > default one from the stock config files, with minimal configuration to > permit it to lookup users in our LDAP). You have to change the reference to "ldap" in sites-available/default. to the instance name. e.g. "ldap_wireless". > I can tell the difference in which LDAP module configuration stanza is > used by the query filter shown in the debug output. Thankfully. Isn't debug output nice? More people should use it... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html