On 7 Mar 2011, at 22:14, Alexander Clouter wrote: > Guy <[email protected]> wrote: >> >> I now have FreeRadius granting access and using LDAP for username and >> password information. >> >> My next challenge, using the same Radius and LDAP server I would like >> to grant different users access via different NAS clients. >> >> eg in LDAP I would have: >> >> uid=guy >> services: VPN >> services: WiFi >> >> If I have the "services: VPN" then I would be allowed to connect to >> the VPN server and if I don't have that entry in my LDIF then it would >> not be allowed to access. >> >> Any ideas on how to do this, simply? >> > ..."Dear Lazyweb" eh? You should really *attempt* to try, or show you > have attempted something,
Dear Teacher", just like back at school "Please show your working.." :) I did spend quite some time searching for the answer, however documentation "end-to-end" seems to be a little lacking. > > http://www.mail-archive.com/[email protected]/msg59481.html > http://www.mail-archive.com/[email protected]/msg62699.html > > Now use "%{client:keyword}" in your LDAP xlat search query... > Thanks for the the hints.. I've now got this to work... In modules/ldap I changed filter to: filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(authorizedService=%{client:service}))" Then in clients.conf.. just added a an entry to each client: client VPN_Server { secret = ssshhh! shortname = vpn nastype = other service = VPN } And finally for each user in the LDAP database I add the entry: authorsizedService: VPN That's it I can now control access to each client via VPN data. > To be honest though, your approach *abuses* LDAP, you should be adding > them to a *group*, not bloating-up and overloading the user object; > otherwise you might as well use something horrible like SQL... > I would argue that point most strongly but this is not the place.. Thanks again for the help --Guy > Cheers > > -- > Alexander Clouter > .sigmonster says: A woman can never be too rich or too thin. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
