Mapping ldap attribute with radius attribute...howto?

Eric Martell workoutexcite at yahoo.com
Wed Apr 2 17:03:38 CEST 2008


Hi Alan,
   Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated.
>>
I searched the following thread for ldap multiple attributes but it did not have right logic without changing data.

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19275.html

As we do not control the change of ldap data as it is legacy.

For ldap multiple attributes I am getting ONLY first value.

rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = "111111"
rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = "test1"
rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = "test2"
rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = "test3"
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = "111111"
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
rlm_ldap:  user 0014F846C199 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [0014F846C199/<via Auth-Type = Accept>] (from client samir port 0)
Sending Access-Accept of id 21 to 216.2.193.1 port 20070
        rEntitlements = "test1"
        rCidx = "111111"

>>>>>



Alan DeKok <aland at deployingradius.com> wrote: Eric Martell wrote:
> I am using NTRadPing to test the authorization.
> I see in the log, radius attribute is mapped to ldap attribute and
> returning valid value
> rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = "111111"
> 
> but I did not see it in the Sending Access-Accept reply to NAS.

  Attributes between 1 and 255 can go into a packet.  Attributes greater
than that cannot go into a packet.

  You will need to define a vendor-specific dictionary for your
attribute.  See share/dictionary.*

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


       
---------------------------------
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080402/710dccc6/attachment.html>


More information about the Freeradius-Users mailing list