ldap.attrmap question

liz liz at unixgrrl.net
Thu Apr 6 06:54:25 CEST 2006


Greetings!

Thanks! ok that explains alot. Here is a more detailed explanation of  
the problem. We are using an arubawireless AP Management station to  
connect wireless clients.

XP-->Peap-->MSCHAPV2--> FreeRadius --> NTLM_AUTH,RLM_LDAP

The authentication works just dandy. The Aruba allows us to do role  
based firewalling. The documentation says you can use "any" radius  
attribute and pass it to the aruba and then use that in the server  
rule to perform actions on ie: assign to a vlan or do privilege  
escalation etc...

Since NTLM_Auth handles the authentication, I was hoping to use LDAP  
to either obtain a list of groups ie: memberOf from the ADS server  
(Which I was able to do but it returns multiples and I wasnt able to  
get it so strip the cn= from the results, also it appears it cant be  
a multiword value :)  or to just use an attribute returned from the  
LDAP server ie: RadiusGroup and have it passed to the NAS so it can  
apply it's rules.

Ldap --> Radius -->Nas

Is it possible to use NTLM_Auth and then use LDAP to search for a  
value returning it to the aruba?

Are the only values available to be used in this way the ones listed  
in the dictionary file for the Aruba?

I have ordered the O'reilly book and hopefully it will give me clue  
+10 :)

I Really appreciate the help!

Thanks!
Liz



On Apr 5, 2006, at 9:16 PM, Alan DeKok wrote:

> liz <liz at unixgrrl.net> wrote:
>> I have  a simple question about the ldap.attrmap file.  I have placed
>> the following two lines into my ldap.attrmap.file.
> ...
>> checkItem	Group-Name		 	Description
>> replyItem	Group-Name			Description
>
>   You are trying to re-define attributes that have existing
> definitions in the server.  Don't do that.  Create a new attribute,
> instead.
>
>> What I am trying
>> to do is obtain information from an attribute in the LDAP server and
>> then pass it to the NAS we are using.
>
>   In which case you have to pick an attribute the NAS understands.
> Group-Name is not an attribute any NAS understands.
>
>> a) Is this approriate use of the ldap.attrmap file
>
>   No.
>
>> b) Is there any easier way to do this.
>
>   It depends on what you want to do.
>
>> c) What should I see when it  succefsully sends an attribute to  
>> the NAS.
>
>   You should see the attribute in the reply, in debugging mode.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html
>




More information about the Freeradius-Users mailing list