schilling <[email protected]> wrote: > > Thanks a lot. > > More questions. > > If you want to lower the load (and authentication latency) on your AD > servers then you might want to look at the following too: > > http://www.mail-archive.com/[email protected]/msg65781.html > First things first, did you get it all working? If not, start there. When I say 'lower the load', all it does is reduce the number of EAP packets from about 12 to 4 that are needed for a session resumption; but also means you only need two LDAP lookups rather that 12. So your AD load will go from 0.000001 to 0.0000000001 or something. I am bigging up the numbers more than it is worth (although the latency bit is possibly handy for roaming devices). > I am trying to follow your comment on this. I now realized we used to > run eDir and now converted to iplanet directory. Anyway, do I still > need to enable the compilation --with-edir option as stated below? My > guess is yes since otherwise, I could not call ldap in the post-auth > section in "auth" virtual server for eap. > ##etc/raddb/modules/ldap > # Un-comment the following to disable Novell > # eDirectory account policy check and intruder > # detection. This will work *only if* FreeRADIUS is > # configured to build with --with-edir option. > # > #edir_account_policy_check = no > > What I want to do is just to check some attribute in our ldap server, > our structure is like the following: > # extended LDIF > # > # LDAPv3 > # base <ou=people,dc=foo,dc=edu> with scope subtree > # filter: uid=sding > # requesting: ALL > # > > # sding, People, foo.edu > dn: uid=sding,ou=People,dc=foo,dc=edu > ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE > fooEduPSHRdeptName: Information Technology Service (ITS) > fooEduPSHRDepartmentNumber: 123456 > fooEduEmployeeStatus: Active > employeeStatus: Active > uid: sding > The eDir bit's are probably not needed as you are using mschap with those 'ntPassword' attributes. eDir has 'universal password' which is a sales monkey's way of saying "the password is available in plaintext if required". Sounds like to me you do not currently have FreeRADIUS setup working the way you want it to?
> I would like to cache the following attribut/value in your example > cache_ldap-userdn.pm, so I can use these values as logic to assign > user to different VLANs. Can I do that in your pm? > fooEduPSHRdeptName: Information Technology Service (ITS) > fooEduPSHRDepartmentNumber: 123456 > fooEduEmployeeStatus: Active > employeeStatus: Active > Looks like 'employeeStatus' should go in as part of your user filter, but to do the others I would need to generalise my Perl module. Easily done, but I'm not going to do it before I know actually have it already working. :) /me pats sigmonster and gives it a cookie Cheers -- Alexander Clouter .sigmonster says: Success is a journey, not a destination. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
