Am 2013-01-09 10:27, schrieb Tobias Hachmer:
On Wednesday 09 January 2013 09:29:48 Rudolph Bott wrote:
Is there is possibility to set a different basedn for group lookups
OR
another feasable solution (e.g. modify the filter...?). Filter and
groupmembership_filter are currently set to:
Create a new ldap module called e.g. ldap2 (just copy the existing
ldap module
and rename it to ldap2, also rename it in the module itself,
otherwise FR
tries to instantiate the ldap module twice), adjust there the new
basedn and
call it where you want in authorize section.
I am not sure if that would work in this case (but maybe I just got the
concept of the LDAP module wrong):
* NAS XY connects to FR with an Access-Request
* the huntgroup/users file tells FR to require the membership of an
LDAP-Group named 'blah'
* the LDAP module which does the authentication automatically checks if
the current user (which it uses to bind to LDAP) is a member of that
group
How would I exactly fit in another copy of the LDAP module in this
scenario? Wouldn't that mean that the second instance of that module
would also have to bind to LDAP using the same settings? And how would I
tell the second instance to check for the group required by the users
file instead of the first module?
For completeness, this is a sample line from the huntgroups file:
HQ NAS-IP-Address == 1.2.3.4
And this the corresponding users file:
DEFAULT Huntgroup-Name == HQ, Ldap-Group == SpecialUserGroup
Reply-Message = "\n###### Access granted by SpecialUserGroup
########\n",
Fall-Through = no
If there is a request from the NAS specified by that IP adress, the
LDAP module will automatically check if the user is in the group
SpecialUserGroup.
Regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Mit freundlichen Grüßen / with kind regards
Rudolph Bott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
