(RADIATOR) AuthBy LDAP and LDAP groups

Matt Richard matt.richard at fandm.edu
Tue May 27 11:11:03 CDT 2003 

Hi,

I couldn't see any examples of how to do another LDAP search in a 
PostSearchHook, and it's not obvious to me how I would do that.

The first option you mentioned is to use multiple AuthBy LDAP2 
clauses.  The first clause checks the user's password, either with a 
search or a bind.  This is working well.  But the second clause still 
keeps trying to get the user's password, which won't work if I'm 
working with a group DN instead of a user DN.

How do I write the second AuthBy LDAP2 clause so that it doesn't 
check the password or try to bind with the password?  I need to 
compare a string, I don't need it to work with passwords - that was 
done in the first clause.

Thanks,

Matt


>Hello Matt -
>
>You could either use multiple AuthBy LDAP2 clauses to do the various 
>queries (and storing temporary results in the incoming request), or 
>you could use a PostSearchHook to do further manipulation of the 
>query results.
>
>regards
>
>Hugh
>
>
>On Wednesday, May 21, 2003, at 23:09 Australia/Melbourne, Matt Richard wrote:
>
>>Hi,
>>
>>I need different RADIUS attributes based on which LDAP group a user 
>>belongs to.
>>
>>The user container does not contain group membership information - 
>>the group contains a list of the group members in a multivalued 
>>field called "memberuid".
>>
>>So I need to search for membership within a group.  I can do this 
>>with "SearchFilter (&(memberuid=%1)(cn=radiusvpn))"  but any 
>>subsequent search or bind uses the results of this filter as the 
>>new DN.
>>
>>What I really need is a way to do two searches of the LDAP 
>>database. The first should be the password searh, or a bind would 
>>work okay > also.
>>
>>The second search should fail if the SearchFilter doesn't return 
>>with the DN of a group.  An LDAP compare might be okay, if there's 
>>a way to do that.  If the search succeeds, Radiator could grab the 
>>RADIUS attributes stored at that DN.
>>
>>Has anyone done this before?  Or is there a simple solution I have 
>>overlooked?
>>
>>I'm running Radiator on Mac OSX Server (10.2.6) and authenticating 
>>users on a Cisco VPN3000 and AS5200, via the LDAP/NetInfo users & 
>>groups database.
>>
>>Thanks!
>>
>>Matt
>>--
>>Matt Richard
>>Access and Security Coordinator
>>Franklin & Marshall College
>>matt.richard at fandm.edu
>>(717) 291-4157
>>===
>>Archive at http://www.open.com.au/archives/radiator/
>>Announcements on radiator-announce at open.com.au
>>To unsubscribe, email 'majordomo at open.com.au' with
>>'unsubscribe radiator' in the body of the message.
>>
>
>NB: have you included a copy of your configuration file (no secrets),
>together with a trace 4 debug showing what is happening?
>
>--
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>-
>Nets: internetwork inventory and management - graphical, extensible,
>flexible with hardware, software, platform and database independence.
>
>===
>Archive at http://www.open.com.au/archives/radiator/
>Announcements on radiator-announce at open.com.au
>To unsubscribe, email 'majordomo at open.com.au' with
>'unsubscribe radiator' in the body of the message.


-- 
Matt Richard
Access and Security Coordinator
Franklin & Marshall College
matt.richard at fandm.edu
(717) 291-4157
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list