Thanks a lot. More questions.
If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/[email protected]/msg65781.html I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in "auth" virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base <ou=people,dc=foo,dc=edu> with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Thanks, Schilling On Mon, Jan 24, 2011 at 4:38 PM, Alexander Clouter <[email protected]> wrote: > schilling <[email protected]> wrote: >> >> I am trying to play with your configuration, basically I have a >> virtual server call auth as your example, and modified my eap.conf for >> peap to use auth. >> >> what's the config:local.MY.realm? My debug showed >> > Phil pretty much covered it (and in a neater manner I was not aware > could be used, but it is obvious now seeing it...), I put all the 'local > site' specific details into a single configuration file (including > SQL/LDAP binding credentials) so that if I want to give someone a copy > of my config, ll I have to really do is trim the 'local' file and know I > have not leaked anything important. > > For example, just after '$INCLUDE clients.conf' in the main radiusd.conf > file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file > is: > ---- > local.MY.hostname = iodine.it.soas.ac.uk > local.MY.addr.v6 = 2001:630:1b:6004:168c:9d91:127f:bb0c > local.MY.addr.v4 = 212.219.138.70 > > local.MY.realm = soas.ac.uk > > local.addr.v6 = 2001:630:1b:1001:624a::15bb > local.addr.v4 = 193.63.73.37 > > local.test.username = test-username > local.test.password = [ahem] > > local.ldap.server.1 = ldap1.soas.ac.uk > local.ldap.server.2 = ldap2.soas.ac.uk > local.ldap.username = cn=cheese,ou=is,o=tasty > local.ldap.password = NOM > > local.sql.server = sql.soas.ac.uk > local.sql.username = radius-username > local.sql.password = oh-so-very-secret > > local.cert.password = omg-do-not-tell-anyones > > [snipped] > > $INCLUDE ${confdir}/LOCAL/templates.conf > > $INCLUDE ${confdir}/LOCAL/policy.conf > > $INCLUDE ${confdir}/LOCAL/proxy.conf > > $INCLUDE ${confdir}/LOCAL/clients/ > ---- > > Cheers > > -- > Alexander Clouter > .sigmonster says: Riches cover a multitude of woes. > -- Menander > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
