(RADIATOR) Ldap Searchfilters
Hugh Irvine
hugh at open.com.au
Wed Feb 21 01:06:51 CST 2007
Hello Matt -
Yes this is fairly simple to do - here is how:
<AuthBy LDAP2>
Identifier LDAP-AUTH1
Host 192.168.1.1
AuthDN cn=admin,ou=bla
AuthPassword password
UsernameAttr cn
PasswordAttr userPassword
SearchFilter (&(cn=%{User-Name})(accountStatus=1)(Services=%
{Handler:Identifier}))
</AuthBy>
<AuthBy LDAP2>
Identifier LDAP-AUTH2
Host 192.168.1.2
AuthDN cn=admin,ou=bla
AuthPassword password
UsernameAttr cn
PasswordAttr userPassword
SearchFilter (&(cn=%{User-Name})(accountStatus=1)(Services=%
{Handler:Identifier}))
</AuthBy>
<Handler Realm=dialup.domain.com.au>
Identifier dialup
<AuthBy GROUP>
AuthBy LDAP-AUTH1
AuthBy LDAP-AUTH2
</AuthBy>
</Handler>
<Handler Realm= dsl.domain.com.au>
Identifier dsl
<AuthBy GROUP>
AuthBy LDAP-AUTH1
AuthBy LDAP-AUTH2
</AuthBy>
</Handler>
Alternatively you could define the whole SearchFilter in the
Identifier and use this:
SearchFilter %{Handler:Identifier}
BTW - could you please tell me the name of the registered company
that has purchased this copy of Radiator?
Please reply to me directly.
hope that helps
regards
Hugh
On 21 Feb 2007, at 14:58, Matt wrote:
>
> Hi,
>
> I find myself duplicating AuthBy LDAP2 clauses over and over
> changing only the SearchFilter for use in different Realm based
> handlers. So we have multiple Handlers authing against the same
> LDAP server but needing a different search filter depending on the
> Realm used, hence needing an AuthBy LDAP clause for every different
> Search filter.
>
> So we have nice neat Handers but massive duplication of the AuthBy
> LDAP2 clauses simply because of the SearchFilter requirements.
>
> It would be nice to have just one AuthBy LDAP2 clause per LDAP
> server but within the handler specify the SearchFilter... I dont
> believe this is possible.. That being said though, this config has
> evolved over the years. I thought I'd ask the question, "is there
> is a better way" ?
>
> Thanks..
>
> Below is a very basic example of how things work now,
>
>
> <AuthBy LDAP2>
>
> Identifier LDAP-DIAL1
> Host 192.168.1.1
> AuthDN cn=admin,ou=bla
> AuthPassword password
> UsernameAttr cn
> PasswordAttr userPassword
> SearchFilter (&(cn=%{User-Name})(accountStatus=1)(Services=dialup))
>
> </AuthBy>
>
> <AuthBy LDAP2>
>
> Identifier LDAP-DSL1
> Host 192.168.1.1
> AuthDN cn=admin,ou=bla
> AuthPassword password
> UsernameAttr cn
> PasswordAttr userPassword
> SearchFilter (&(cn=%{User-Name})(accountStatus=1)(Services=dsl))
>
> </AuthBy>
>
>
> <Handler Realm=dialup.domain.com.au>
>
> <AuthBy GROUP>
> AuthBy LDAP-DIAL1
> AuthBy LDAP-DIAL2
> </AuthBy>
>
> </Handler>
>
> <Handler Realm= dsl.domain.com.au>
>
> <AuthBy GROUP>
> AuthBy LDAP-DSL1
> AuthBy LDAP-DSL2
> </AuthBy>
>
> </Handler>
>
> Matt.
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list