i managed it, there is one attribute in our ldap where i can exactly define
where the user should be authorized.
With the radiusAuthType Attribute it works now perfectly.
thanks a lot for this litte hint :-)
Stefan
--- Ursprüngliche Nachricht ---
Von: [EMAIL PROTECTED]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 5 Jan 2006 13:56:35 +0100 (MET)
sorry, now i understand what you meant with that:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
i should chance the ldap-directory. isnt it possible to make it fit my
needs
without changing the ldap-directory? without freeradius-1.1?
--- Ursprüngliche Nachricht ---
Von: [EMAIL PROTECTED]
An: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 5 Jan 2006 13:30:16 +0100 (MET)
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
sorry my fault - should check my copy-paste better ;-)
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
hm, i dont understand where i should add this kind of lines. i guess
they
should be in the users file as an default entry.
can you give a complete working sample for such an entry? sorry if this
would be base-knowledge but i dont know how to check ldap-settings in
the
users file.
thanks in advance
Stefan
--- Ursprüngliche Nachricht ---
Von: Bjørn Mork [EMAIL PROTECTED]
An: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Betreff: Re: authorization depending on authentication (ldap)
Datum: Thu, 05 Jan 2006 11:56:33 +0100
[EMAIL PROTECTED] writes:
i am running freeradius-1.0.2-5.5
there are 3 ldap instances:
ldap1,ldap2,ldap3.
and authenticate them all after another in the authentication
section
like
this:
authenticate {
ldap1
ldap2
ldap3
}
same in authorize-section:
authorize {
ldap1
ldap2
ldap3
}
now my problem is, that if the user x is authenticated at ldap2 for
instance
the authorization fails cause the user isnt found at ldap1
(freeradius
doesnt seem to try authorizing on ldap2 or ldap3)
what i need would be a solution how to realize the following needs:
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap1 authorize on ldap2
if authentication runs over ldap1 authorize on ldap3
how can i do that?
I assume you meant
if authentication runs over ldap1 authorize on ldap1
if authentication runs over ldap2 authorize on ldap2
if authentication runs over ldap3 authorize on ldap3
The authenticate processing should set Auth-Type to an unique value
for each instance. If you're using the default schema, then you can
do that by adding a radiusAuthType ldap attribute to each user. Or
maybe better: Use a default profile to set the appropriate
radiusAuthType for each ldap instance.
E.g. add something like this to the directories:
ldap1:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP1
ldap2:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP2
ldap3:
dn: cn=radprofile,ou=dialup,o=My Org,c=UA
radiusAuthType: LDAP3
And then in radiusd.conf:
modules {
..
ldap ldap1 {
..
default_profile = cn=radprofile,ou=dialup,o=My
Org,c=UA
..
}
ldap ldap2 {
..
default_profile = cn=radprofile,ou=dialup,o=My
Org,c=UA
..
}
ldap ldap3 {