(RADIATOR) AuthBy LDAP and LDAP groups
Mike McCauley
mikem at open.com.au
Tue May 27 12:05:32 CDT 2003
Hello Matt,
On Wed, 28 May 2003 02:11 am, Matt Richard wrote:
> Hi,
>
> I couldn't see any examples of how to do another LDAP search in a
> PostSearchHook, and it's not obvious to me how I would do that.
>
> The first option you mentioned is to use multiple AuthBy LDAP2
> clauses. The first clause checks the user's password, either with a
> search or a bind. This is working well. But the second clause still
> keeps trying to get the user's password, which won't work if I'm
> working with a group DN instead of a user DN.
>
> How do I write the second AuthBy LDAP2 clause so that it doesn't
> check the password or try to bind with the password? I need to
> compare a string, I don't need it to work with passwords - that was
> done in the first clause.
If you there is no PasswordAttr defined in your AuthBy LDAP2, then Radiator
will not attempt to get a password from the server nor check the passsword.
Hope that helps.
Cheers.
>
> Thanks,
>
> Matt
>
> >Hello Matt -
> >
> >You could either use multiple AuthBy LDAP2 clauses to do the various
> >queries (and storing temporary results in the incoming request), or
> >you could use a PostSearchHook to do further manipulation of the
> >query results.
> >
> >regards
> >
> >Hugh
> >
> >On Wednesday, May 21, 2003, at 23:09 Australia/Melbourne, Matt Richard
wrote:
> >>Hi,
> >>
> >>I need different RADIUS attributes based on which LDAP group a user
> >>belongs to.
> >>
> >>The user container does not contain group membership information -
> >>the group contains a list of the group members in a multivalued
> >>field called "memberuid".
> >>
> >>So I need to search for membership within a group. I can do this
> >>with "SearchFilter (&(memberuid=%1)(cn=radiusvpn))" but any
> >>subsequent search or bind uses the results of this filter as the
> >>new DN.
> >>
> >>What I really need is a way to do two searches of the LDAP
> >>database. The first should be the password searh, or a bind would
> >>work okay > also.
> >>
> >>The second search should fail if the SearchFilter doesn't return
> >>with the DN of a group. An LDAP compare might be okay, if there's
> >>a way to do that. If the search succeeds, Radiator could grab the
> >>RADIUS attributes stored at that DN.
> >>
> >>Has anyone done this before? Or is there a simple solution I have
> >>overlooked?
> >>
> >>I'm running Radiator on Mac OSX Server (10.2.6) and authenticating
> >>users on a Cisco VPN3000 and AS5200, via the LDAP/NetInfo users &
> >>groups database.
> >>
> >>Thanks!
> >>
> >>Matt
> >>--
> >>Matt Richard
> >>Access and Security Coordinator
> >>Franklin & Marshall College
> >>matt.richard at fandm.edu
> >>(717) 291-4157
> >>===
> >>Archive at http://www.open.com.au/archives/radiator/
> >>Announcements on radiator-announce at open.com.au
> >>To unsubscribe, email 'majordomo at open.com.au' with
> >>'unsubscribe radiator' in the body of the message.
> >
> >NB: have you included a copy of your configuration file (no secrets),
> >together with a trace 4 debug showing what is happening?
> >
> >--
> >Radiator: the most portable, flexible and configurable RADIUS server
> >anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> >-
> >Nets: internetwork inventory and management - graphical, extensible,
> >flexible with hardware, software, platform and database independence.
> >
> >===
> >Archive at http://www.open.com.au/archives/radiator/
> >Announcements on radiator-announce at open.com.au
> >To unsubscribe, email 'majordomo at open.com.au' with
> >'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list