[RADIATOR] LDAP2 authorizing multiple email domains from mail attribute?
Jennifer Mehl
jmehl at physics.ucsb.edu
Mon Apr 26 17:39:48 CDT 2010
Hi there,
I'm using the AUTHBYLDAP2 to do simple authentication to our campus LDAP directory for VPN services. It is working fine so far.
I'd like to further limit access to this VPN service to authenticated users with particular email domains in their mail LDAP attribute. There are to be 4 different "allowed" email domains.
How do I best do this? I believe I need to use AuthAttrDef and look for the mail LDAP attribute, but not sure exactly how to accept the authentication if the correct email domain exists, and deny if the attribute is empty or contains any other domain.
I'm using RADIATOR 4.0 on Linux.
Here is the relevant part of radius.cfg:
<Handler>
# strip realm
RewriteUsername s/^([^@]+).*/$1/
# lowercase
RewriteUsername tr/A-Z/a-z/
AuthByPolicy ContinueUntilAccept
AuthBy BY_FILE
AuthBy BY_UCSB_LDAP
</Handler>
Here is my relevant AUTHBYLDAP2 clause:
#UCSB LDAP Directory
<AuthBy LDAP2>
Identifier BY_UCSB_LDAP
include /etc/radiator/ucsbldap.cfg
</AuthBy LDAP2>
Here is ucsbldap.cfg:
Host directory.ucsb.edu
BaseDN o=ucsb
UsernameAttr uid
PasswordAttr userPassword
ServerChecksPassword
FailureBackoffTime 10
# You can enable debugging of the Net::LDAP
# module with this:
Debug 255
UseSSLSSLCAFile /usr/share/ssl/cert.pem
SSLVerify require
Thanks for any assistance!
--Jennifer
==================================
Jennifer L. Mehl
Senior Systems Administrator
University of California, Santa Barbara
Physics Computing Services
mailto:jmehl at physics.ucsb.edu
(805) 893-8366, ext 2 (work)
...also rings when working from home
Skype:ucsb.physics.mehl_j
(805) 451-7486 (cell)
==================================
More information about the radiator
mailing list