ldap filter depending on NAS

Matthieu Lazaro matthieu.lazaro at eservglobal.com
Wed Apr 22 15:36:06 CEST 2009


Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>   
>> Here is the content of a packet received by radiusd:
>>     
>
>   Weird, but OK.
>
>   
>> Futhermore, to reply to Alan about the radiusUserCategory, it is given
>> with the radius.schema for ldap. Is it a useless attribute then?
>>     
>
>   Yes.
>
>   
>> I'll be checking this afternoon and testing about putting more info in
>> ldap.attrmap to see if the filters work.
>>     
>
>   See also doc/rlm_ldap.  This *is* documented.
>
>   Alan DeKok.
>
>   
When filling the ldap.attrmap, here is what I get:

Info: [ldap] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
Info: [ldap]         expand: (uid=%{Stripped-User-Name:-%{User-Name}})
-> (uid=bobalice)
Info: [ldap]         expand: dc=testbed,dc=lan -> dc=testbed,dc=lan
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: performing search in dc=testbed,dc=lan, with filter
(uid=bobalice)
Info: [ldap] checking if remote access for bobalice is allowed by
radiusTunnelPrivateGroupId
Info: [ldap] Added User-Password =                                     
in check items
Info: [ldap] No default NMAS login sequence
Info: [ldap] looking for check items in directory...
Debug: rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0
== "34"
Debug: rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
Debug: rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
Debug: rlm_ldap: userPassword -> User-Password == "                   
                        "
Debug: rlm_ldap: radiusNASIpAddress -> NAS-IP-Address == 10.1.1.2
Debug: rlm_ldap: sambaNtPassword -> NT-Password ==   
Debug: rlm_ldap: sambaLmPassword -> LM-Password ==   
Debug: rlm_ldap: ntPassword -> NT-Password ==   
Debug: rlm_ldap: lmPassword -> LM-Password ==  
 Debug: rlm_ldap: radiusCallingStationId -> Calling-Station-Id ==
"00-15-42-7a-82-b4"
Info: [ldap] looking for reply items in directory...
Info: [ldap] user bobalice authorized to use remote access
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Info: ++[ldap] returns ok

The thing is, it is just READING the ldap content.... and not comparing
to what the NAS is sending.
Tunnel-Private-Group-Id:0 == "34" actually I logged in using
Tunnel-Private-Group-Id:0 == "1" .

I tried to add those check in the users file, but it didn't work.
I read the rlm_ldap manual, and it's not talking about those types of
attributes....

So I'm wondering where to tell radius: "compare the ldap attributes with
what the NAS sent you, and if anything is different, reject the packet".
I guess that I'll have to wait this is resolved before trying to have
radius putting the user in the proper vlan. (doing things in the right
order???)

Regards,

Matt








More information about the Freeradius-Users mailing list