[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Conditionals in LDAP

To: openldap-technical@openldap.org
Subject: Re: Conditionals in LDAP
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 2 Oct 2008 18:19:56 +0200
Cc: Tom Cooper <tcooper@fnb.co.za>
Content-disposition: inline
In-reply-to: <48E461D3.806@fnb.co.za>
References: <48E461D3.806@fnb.co.za>
User-agent: KMail/1.10.1 (Linux/2.6.27-desktop-0.rc7.5.1mnb; KDE/4.1.2; x86_64; ; )

On Thursday 02 October 2008 07:53:23 Tom Cooper wrote:
> Hi all,
> I am fairly new to OpenLDAP and I was requested to set up the following:
>
> We have ADSL users to authenticate on freeradius which reads the user
> info via an OpenLDAP server. Now when the user has used a certain amount
> of data he must be flagged as blocked. His connection is disconnected
> and upon reconnection he is assigned a different IP address with
> restricted connectivity untile he tops up his account. I can see that
> his information needs to be changed in LDAP

Not necessarily. There is no need to do authorization via LDAP just because 
you do authentication via LDAP (and, I assume, you won't be doing accounting 
by LDAP either, and your authorization seems to be linked to your accounting 
anyway).

> to maybe assign him to a
> different uid,

Why change the UID? The User-Name returned by your RADIUS server does not 
determine (I assume) that he has restricted connectivity, so there is no point 
in changing the UID (or the DN for that matter). You merely need to have the 
RADIUS server send the appropriate attributes (which could be stored in LDAP 
on the user's entry, or in LDAP on an entry the user is a "member" of, or 
could be the result of authorization via something other than LDAP). However, 
these details are specific to the RADIUS server (and mosty off-topic on an 
LDAP list).

> something like this:
>
> uid=xxxxxx,dc=radius,dc=example,dc=com (Original)
> changed to
> uid=xxxxxx,dc=blocked,dc=radius,dc=example,dc=com.
>
> My question is now how do I accomplish this, because on the client side
> he will still try to authenticate as
> uid=xxxxxx,dc=radius,dc=example,dc=com and I can not control what
> credentials are sent?

You seem to be assuming that DIT structure is a simple concatenation of 
strings. A subtree search dc=radius,dc=example,dc=com would find both of the 
entries above.

However, in general it makes very little sense to move entries around the DIT 
when you could be better served by modifying attributes on the entry instead.

> Is it maybe better accomplished from freeradius than from LDAP? The
> record needs to be changed in LDAP for our admin portal to make use of
> this to check the client's status.

But not necessarily by changing the DN or the naming attributes ...

However, maybe you should get a quote for a VISP from us instead :-P.

Regards,
Buchan

References:
- Conditionals in LDAP
  - From: Tom Cooper <tcooper@fnb.co.za>

Prev by Date: Re: OpenLDAP 2.4.10 Import Errors
Next by Date: Re: samba: Active Directory support requires ldap_initialize
Index(es):
- Chronological
- Thread