Hi all, I am fairly new to OpenLDAP and I was requested to set up the following:
We have ADSL users to authenticate on freeradius which reads the user info via an OpenLDAP server. Now when the user has used a certain amount of data he must be flagged as blocked. His connection is disconnected and upon reconnection he is assigned a different IP address with restricted connectivity untile he tops up his account. I can see that his information needs to be changed in LDAP to maybe assign him to a different uid, something like this:
uid=xxxxxx,dc=radius,dc=example,dc=com (Original) changed to uid=xxxxxx,dc=blocked,dc=radius,dc=example,dc=com.
My question is now how do I accomplish this, because on the client side he will still try to authenticate as uid=xxxxxx,dc=radius,dc=example,dc=com and I can not control what credentials are sent?
Is it maybe better accomplished from freeradius than from LDAP? The record needs to be changed in LDAP for our admin portal to make use of this to check the client's status.
Regards,
To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html
If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclaimer@fnb.co.za and we will send you a copy of the Disclaimer.
On Thursday 02 October 2008 07:53:23 Tom Cooper wrote:
Hi all, I am fairly new to OpenLDAP and I was requested to set up the following:
We have ADSL users to authenticate on freeradius which reads the user info via an OpenLDAP server. Now when the user has used a certain amount of data he must be flagged as blocked. His connection is disconnected and upon reconnection he is assigned a different IP address with restricted connectivity untile he tops up his account. I can see that his information needs to be changed in LDAP
Not necessarily. There is no need to do authorization via LDAP just because you do authentication via LDAP (and, I assume, you won't be doing accounting by LDAP either, and your authorization seems to be linked to your accounting anyway).
to maybe assign him to a different uid,
Why change the UID? The User-Name returned by your RADIUS server does not determine (I assume) that he has restricted connectivity, so there is no point in changing the UID (or the DN for that matter). You merely need to have the RADIUS server send the appropriate attributes (which could be stored in LDAP on the user's entry, or in LDAP on an entry the user is a "member" of, or could be the result of authorization via something other than LDAP). However, these details are specific to the RADIUS server (and mosty off-topic on an LDAP list).
something like this:
uid=xxxxxx,dc=radius,dc=example,dc=com (Original) changed to uid=xxxxxx,dc=blocked,dc=radius,dc=example,dc=com.
My question is now how do I accomplish this, because on the client side he will still try to authenticate as uid=xxxxxx,dc=radius,dc=example,dc=com and I can not control what credentials are sent?
You seem to be assuming that DIT structure is a simple concatenation of strings. A subtree search dc=radius,dc=example,dc=com would find both of the entries above.
However, in general it makes very little sense to move entries around the DIT when you could be better served by modifying attributes on the entry instead.
Is it maybe better accomplished from freeradius than from LDAP? The record needs to be changed in LDAP for our admin portal to make use of this to check the client's status.
But not necessarily by changing the DN or the naming attributes ...
However, maybe you should get a quote for a VISP from us instead :-P.
Regards, Buchan
openldap-technical@openldap.org