Hello Matt,
On Wed, 28 May 2003 02:11 am, Matt Richard wrote: > Hi, > > I couldn't see any examples of how to do another LDAP search in a > PostSearchHook, and it's not obvious to me how I would do that. > > The first option you mentioned is to use multiple AuthBy LDAP2 > clauses. The first clause checks the user's password, either with a > search or a bind. This is working well. But the second clause still > keeps trying to get the user's password, which won't work if I'm > working with a group DN instead of a user DN. > > How do I write the second AuthBy LDAP2 clause so that it doesn't > check the password or try to bind with the password? I need to > compare a string, I don't need it to work with passwords - that was > done in the first clause. If you there is no PasswordAttr defined in your AuthBy LDAP2, then Radiator will not attempt to get a password from the server nor check the passsword. Hope that helps. Cheers. > > Thanks, > > Matt > > >Hello Matt - > > > >You could either use multiple AuthBy LDAP2 clauses to do the various > >queries (and storing temporary results in the incoming request), or > >you could use a PostSearchHook to do further manipulation of the > >query results. > > > >regards > > > >Hugh > > > >On Wednesday, May 21, 2003, at 23:09 Australia/Melbourne, Matt Richard wrote: > >>Hi, > >> > >>I need different RADIUS attributes based on which LDAP group a user > >>belongs to. > >> > >>The user container does not contain group membership information - > >>the group contains a list of the group members in a multivalued > >>field called "memberuid". > >> > >>So I need to search for membership within a group. I can do this > >>with "SearchFilter (&(memberuid=%1)(cn=radiusvpn))" but any > >>subsequent search or bind uses the results of this filter as the > >>new DN. > >> > >>What I really need is a way to do two searches of the LDAP > >>database. The first should be the password searh, or a bind would > >>work okay > also. > >> > >>The second search should fail if the SearchFilter doesn't return > >>with the DN of a group. An LDAP compare might be okay, if there's > >>a way to do that. If the search succeeds, Radiator could grab the > >>RADIUS attributes stored at that DN. > >> > >>Has anyone done this before? Or is there a simple solution I have > >>overlooked? > >> > >>I'm running Radiator on Mac OSX Server (10.2.6) and authenticating > >>users on a Cisco VPN3000 and AS5200, via the LDAP/NetInfo users & > >>groups database. > >> > >>Thanks! > >> > >>Matt > >>-- > >>Matt Richard > >>Access and Security Coordinator > >>Franklin & Marshall College > >>[EMAIL PROTECTED] > >>(717) 291-4157 > >>=== > >>Archive at http://www.open.com.au/archives/radiator/ > >>Announcements on [EMAIL PROTECTED] > >>To unsubscribe, email '[EMAIL PROTECTED]' with > >>'unsubscribe radiator' in the body of the message. > > > >NB: have you included a copy of your configuration file (no secrets), > >together with a trace 4 debug showing what is happening? > > > >-- > >Radiator: the most portable, flexible and configurable RADIUS server > >anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > >- > >Nets: internetwork inventory and management - graphical, extensible, > >flexible with hardware, software, platform and database independence. > > > >=== > >Archive at http://www.open.com.au/archives/radiator/ > >Announcements on [EMAIL PROTECTED] > >To unsubscribe, email '[EMAIL PROTECTED]' with > >'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
