On Sat, Aug 29, 2009 at 7:11 AM, Peter Lambrechtsen <[email protected] > wrote:
> On Fri, Aug 28, 2009 at 10:38 PM, Ivan Kalik <[email protected]> wrote: > >> > I am trying to have a granular based reply items depending on the NAS >> they >> > connected to all driven using attributes in LDAP without needing to use >> > realms. >> > >> > IE User A passes just User&Password to NAS A. and gets reply attr >> > "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA" >> > attribute in LDAP >> > Same user logs into NAS B and gets back a "Service-Type=user" and the >> > value >> > user comes from an attribute "nasB". >> > >> > Looking through the ldap.attrmap it seems to be a static mapping for >> > Service-Type to be staticly set to a single value from LDAP, but what >> > happens if I want that value to be different depending on which NAS I >> have >> > connected from. >> > >> > Have searched around and havn't found any documents talking about how to >> > have this grainular level of configuration. >> >> Well, you have custom attributes in Ldap - translate them to custom >> attributes in radius (define them first in raddb/dictionary and map them >> in ldap.attrmap, lets say nasA to nasA as replyItem, etc.) >> >> Then use unlang to set service type: >> >> if(NAS-IP-Address == NAS A IP) { >> update reply { >> Service-Type = "%{reply:nasA}" >> } >> } >> elsif(NAS-IP-Address == NAS B IP) { >> ... > > > Another thought would be to have ldap group based authorize and attributes > being passed back. > > IE the user has a"member" attributes specifying which services it has > access to and which attributes to be passed back, > > This is the user in LDAP. > > dn: cn=user,o=users > member: cn=admin,ou=nasA,o=radius > member: cn=user,ou=nasB,o=radius > member: cn=1,ou=nasC,o=radius > member: cn=15,ou=nasC,o=radius > member: cn=somethingelse,o=groups > > Then I think I would specify in the clients the update reply ie: > > if(NAS-IP-Address == NAS A IP) { > > update reply { > Service-Type = "%{reply:nasA}" > } > } > What I was actually meaning was: if(NAS-IP-Address == NAS A IP) { if(member contains "ou=nasA,o=radius") { if(member = cn=admin,ou=nasA,o=radius) update reply { Service-Type = "admin" } } } } } Or something similar. I assume I would update the post-auth section under sites-enabled/default? Or would it be under clients.conf or the modules/ldap? > > > > >> >> Ivan Kalik >> Kalik Informatika ISP >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
