Re: LDAP->RADIUS Attribute Mapping

Owen DeLong wrote:

> We have historically used the AuthorizedService attribute in LDAP to
> control the level
> of access available to the user. We would like to continue to do so.
> However, in order
> for that to work, I need to map AuthorizedService to different RADIUS
> attributes in
> the response depending on the authentication client.

Do it in two steps. Map the AuthorisedService LDAP attribute to a
RADIUS attribute (invent a local one, see the dictionary docs), and then
depending on the NAS, map that to another attribute.

The reason for doing it this way is that the LDAP -> RADIUS attribute
mapping is simple, and should be kept simple.

> Ideally, I'd like to be able to map RADIUS clients into "groups" and
> have a mapping
> of AuthorizedService values for each group. The client groups would,
> ideally,
> be defined by matching the client IP address. An example of what I'd
> like that
> mapping to look like is below:

Use rlm_passwd to map clients to groups (see it's documentation), and
then the "users" file to map AuthorizedService to another RADIUS
attribute, as described above.

> Alan, your flames and RTFM comments are welcome, but, please understand,
> I've done my best to RTFM before posting this.

As I tell my co-workers, "Remember, there are no stupid questions.
There are only stupid people.".

And they still speak to me after that. :)

Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html