[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    combining LDAP and SQL
From:       mj mailing lists user <mj () resulb ! ulb ! ac ! be>
Date:       2008-11-27 10:42:00
Message-ID: 73rddu$37sasr () smtp ! ulb ! ac ! be
[Download RAW message or body]

Hi,

I've got a working (my)sql freeradius2.1 configuration where users are put in groups \
(usergroup). I added an 'IP' column to radgroupcheck table so that I can force radius \
clients into some groups (via %{Client-IP-Address} ) .

This allows me to say who can connect from where (WiFi, Dialup, StudentRooms,...) and \
have users in multiple groups Up to now all my users are stored in the db.

I'm now asked to integrate a new LDAP server into the equation.
Not all users will be put in LDAP (guest users, conference groups will stay in the \
DB). So there still be users in the DB. All LDAP users have to be granted WiFi \
access. Other access are DB dependent (dialup,StudentRooms,...)

I've tried to add both ldap and sql authorization but I've got trouble limiting LDAP \
users.

This is how it should work:
a: if LDAP OK and client is in "WiFi" accept
b: if LDAP OK and user in usergroup for the right group (%{Client-IP-Address} \
                dependent) accept
c: if LDAP !OK do the classic sql processing.

If I understand well the usual sql process is as follows:
  1. check user in radcheck
  2.  if found check user in usergroup
  3.   if found check radgroupcheck

But if LDAP knows the user I've got to add 'WiFi' group to the result of the \
usergroup query and skip the radcheck query

Do you see a way through this?

Thanks for reading me.

Michel




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]