[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Different reply items out of LDAP depending on the NAS
From: Peter Lambrechtsen <plambrechtsen () gmail ! com>
Date: 2009-08-28 19:16:52
Message-ID: a9a8c2eb0908281216l7c36d1a2t5d3036118a9f8cf9 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Sat, Aug 29, 2009 at 7:11 AM, Peter Lambrechtsen <plambrechtsen@gmail.com
> wrote:
> On Fri, Aug 28, 2009 at 10:38 PM, Ivan Kalik <tnt@kalik.net> wrote:
>
>> > I am trying to have a granular based reply items depending on the NAS
>> they
>> > connected to all driven using attributes in LDAP without needing to use
>> > realms.
>> >
>> > IE User A passes just User&Password to NAS A. and gets reply attr
>> > "Service-Type=admin", and the admin comes from an LDAP Attribute "nasA"
>> > attribute in LDAP
>> > Same user logs into NAS B and gets back a "Service-Type=user" and the
>> > value
>> > user comes from an attribute "nasB".
>> >
>> > Looking through the ldap.attrmap it seems to be a static mapping for
>> > Service-Type to be staticly set to a single value from LDAP, but what
>> > happens if I want that value to be different depending on which NAS I
>> have
>> > connected from.
>> >
>> > Have searched around and havn't found any documents talking about how to
>> > have this grainular level of configuration.
>>
>> Well, you have custom attributes in Ldap - translate them to custom
>> attributes in radius (define them first in raddb/dictionary and map them
>> in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)
>>
>> Then use unlang to set service type:
>>
>> if(NAS-IP-Address == NAS A IP) {
>> update reply {
>> Service-Type = "%{reply:nasA}"
>> }
>> }
>> elsif(NAS-IP-Address == NAS B IP) {
>> ...
>
>
> Another thought would be to have ldap group based authorize and attributes
> being passed back.
>
> IE the user has a"member" attributes specifying which services it has
> access to and which attributes to be passed back,
>
> This is the user in LDAP.
>
> dn: cn=user,o=users
> member: cn=admin,ou=nasA,o=radius
> member: cn=user,ou=nasB,o=radius
> member: cn=1,ou=nasC,o=radius
> member: cn=15,ou=nasC,o=radius
> member: cn=somethingelse,o=groups
>
> Then I think I would specify in the clients the update reply ie:
>
> if(NAS-IP-Address == NAS A IP) {
>
> update reply {
> Service-Type = "%{reply:nasA}"
> }
> }
>
What I was actually meaning was:
if(NAS-IP-Address == NAS A IP) {
if(member contains "ou=nasA,o=radius") {
if(member = cn=admin,ou=nasA,o=radius)
update reply {
Service-Type = "admin"
}
}
}
}
}
Or something similar.
I assume I would update the post-auth section under sites-enabled/default?
Or would it be under clients.conf or the modules/ldap?
>
>
>
>
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
[Attachment #5 (text/html)]
<div class="gmail_quote">On Sat, Aug 29, 2009 at 7:11 AM, Peter Lambrechtsen <span \
dir="ltr"><<a href="mailto:plambrechtsen@gmail.com">plambrechtsen@gmail.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div \
class="gmail_quote"><div><div></div><div class="h5">On Fri, Aug 28, 2009 at 10:38 PM, \
Ivan Kalik <span dir="ltr"><<a href="mailto:tnt@kalik.net" \
target="_blank">tnt@kalik.net</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div>> I am trying to have a granular based reply items depending \
on the NAS they<br> > connected to all driven using attributes in LDAP without \
needing to use<br> > realms.<br>
><br>
> IE User A passes just User&Password to NAS A. and gets reply attr<br>
> "Service-Type=admin", and the admin comes from an LDAP Attribute \
"nasA"<br> > attribute in LDAP<br>
> Same user logs into NAS B and gets back a "Service-Type=user" and \
the<br> > value<br>
> user comes from an attribute "nasB".<br>
><br>
> Looking through the ldap.attrmap it seems to be a static mapping for<br>
> Service-Type to be staticly set to a single value from LDAP, but what<br>
> happens if I want that value to be different depending on which NAS I have<br>
> connected from.<br>
><br>
> Have searched around and havn't found any documents talking about how to<br>
> have this grainular level of configuration.<br>
<br>
</div></div>Well, you have custom attributes in Ldap - translate them to custom<br>
attributes in radius (define them first in raddb/dictionary and map them<br>
in ldap.attrmap, lets say nasA to nasA as replyItem, etc.)<br>
<br>
Then use unlang to set service type:<br>
<br>
if(NAS-IP-Address == NAS A IP) {<br>
update reply {<br>
Service-Type = "%{reply:nasA}"<br>
}<br>
}<br>
elsif(NAS-IP-Address == NAS B IP) {<br>
...</blockquote></div></div><div><br>Another thought would be to have ldap group \
based authorize and attributes being passed back.<br><br>IE the user has \
a"member" attributes specifying which services it has access to and which \
attributes to be passed back, <br>
<br>This is the user in LDAP.<br><br>dn: cn=user,o=users<br>member: \
cn=admin,ou=nasA,o=radius<br>member: cn=user,ou=nasB,o=radius<br>
member: cn=1,ou=nasC,o=radius<br>
member: cn=15,ou=nasC,o=radius<br>
member: cn=somethingelse,o=groups<br>
<br>Then I think I would specify in the clients the update reply ie:<div \
class="im"><br><br>if(NAS-IP-Address == NAS A IP) {<br> <br>update reply {<br>
Service-Type = "%{reply:nasA}"<br>
}<br>
}</div></div></div></blockquote><div><br><br>What I was actually meaning \
was:<br><br>if(NAS-IP-Address == NAS A IP) {<br>
if(member contains "ou=nasA,o=radius") {<br> if(member = \
cn=admin,ou=nasA,o=radius)<br> update reply {<br> Service-Type = \
"admin"<br> }<br> }<br> }<br> }<br>
}<br>
<br>Or something similar.<br><br>I assume I would update the post-auth section under \
sites-enabled/default? Or would it be under clients.conf or the modules/ldap?<br> \
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div \
class="gmail_quote"><div><div class="im"><br> <br><br></div></div><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
0pt 0.8ex; padding-left: 1ex;"><br> <br><div class="im">
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
-<br>
List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html" \
target="_blank">http://www.freeradius.org/list/users.html</a><br> \
</div></blockquote></div><br> </blockquote></div><br>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic