[Date Prev][Date Next]
Re: Conditionals in LDAP
On Thursday 02 October 2008 07:53:23 Tom Cooper wrote:
> Hi all,
> I am fairly new to OpenLDAP and I was requested to set up the following:
> We have ADSL users to authenticate on freeradius which reads the user
> info via an OpenLDAP server. Now when the user has used a certain amount
> of data he must be flagged as blocked. His connection is disconnected
> and upon reconnection he is assigned a different IP address with
> restricted connectivity untile he tops up his account. I can see that
> his information needs to be changed in LDAP
Not necessarily. There is no need to do authorization via LDAP just because
you do authentication via LDAP (and, I assume, you won't be doing accounting
by LDAP either, and your authorization seems to be linked to your accounting
> to maybe assign him to a
> different uid,
Why change the UID? The User-Name returned by your RADIUS server does not
determine (I assume) that he has restricted connectivity, so there is no point
in changing the UID (or the DN for that matter). You merely need to have the
RADIUS server send the appropriate attributes (which could be stored in LDAP
on the user's entry, or in LDAP on an entry the user is a "member" of, or
could be the result of authorization via something other than LDAP). However,
these details are specific to the RADIUS server (and mosty off-topic on an
> something like this:
> uid=xxxxxx,dc=radius,dc=example,dc=com (Original)
> changed to
> My question is now how do I accomplish this, because on the client side
> he will still try to authenticate as
> uid=xxxxxx,dc=radius,dc=example,dc=com and I can not control what
> credentials are sent?
You seem to be assuming that DIT structure is a simple concatenation of
strings. A subtree search dc=radius,dc=example,dc=com would find both of the
However, in general it makes very little sense to move entries around the DIT
when you could be better served by modifying attributes on the entry instead.
> Is it maybe better accomplished from freeradius than from LDAP? The
> record needs to be changed in LDAP for our admin portal to make use of
> this to check the client's status.
But not necessarily by changing the DN or the naming attributes ...
However, maybe you should get a quote for a VISP from us instead :-P.