'RE: Client-specific ldap instances.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    RE: Client-specific ldap instances.
From:       Zawacki Jason D Contr AFRL/IFOS <Jason.Zawacki () rl ! af ! mil>
Date:       2005-04-27 12:00:37
Message-ID: 8FF908802100A9419F2792537D08AF180DAD8863 () FSJREZ02 ! adm ! rl ! af ! mil
[Download RAW message or body]

Yes, I do.  Thanks! 

-----Original Message-----
From: freeradius-users-admin@lists.freeradius.org
[mailto:freeradius-users-admin@lists.freeradius.org] On Behalf Of Michael
Mitchell
Sent: Wednesday, April 27, 2005 8:00 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Client-specific ldap instances.


Zawacki Jason D Contr AFRL/IFOS wrote:
 > Hello all.
 >
 > I'm trying to get ldap instances working on a per client basis.  For
 > example, any authentication requests coming from host example1 should be
 > authenticated using the ldap example1 instance, and example2 should be
 > auth'd using the ldap example2 instance.  Maybe I've been staring at
 > this for too long, but I just can't see how this is done.  I've looked
 > at modifying the users and the clients file and just cannot figure it
 > out.  The ldap username/password lookups work just fine.  I'm hoping
 > that there is an easy answer that I'm oblivious to at this time.  My
 > intent is to use different AD groups to authenticate users from
 > different hosts and/or services, without having to run different radius
 > servers.
 >
 > Thanks, in advance, for any help!
 > Jason


Hi Jason,

I think the easiest way to do what you want is to:

1) Define multiple ldap instances in the modules section of radiusd.conf, eg

	ldap ldap_client1 {
	}

	ldap ldap_client2 {
	}

2) In the authorize section of radiusd.conf, do something like:

	Autz-Type LDAP1 {
		ldap_client1
	}

	Autz-Type LDAP2 {
		ldap_client2
	}

3) Then in the users file:

	DEFAULT Client-IP-Address == x.x.x.1, Autz-Type := LDAP1

	DEFAULT Client-IP-Address == x.x.x.2, Autz-Type := LDAP2


I think you could also do a similar thing for the Auth-Type if you 
authenticate against LDAP also.

Hope you get the idea...

cheers,
Mike





- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic