Variables' content as a reply

Augusto G. Andreollo guto at ccuec.unicamp.br
Thu Mar 5 22:20:09 CET 2009


Hello all!

I've been trying unsuccessfully to get this setup to work, but unfortunately haven't been able so far.

My need is to return the contents of three LDAP fields as replies on the Access-Accept package.

The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM Cookbook -- DJ 5.1.5,3).
My config is as follows:

on ldap.attrmap:
> checkItem       cLDAPdepartmentNumber           departmentNumber
> replyItem       rLDAPdepartmentNumber           departmentNumber
> checkItem       cLDAPaffiliation                eduPersonPrimaryAffiliation
> replyItem       rLDAPaffiliation                eduPersonPrimaryAffiliation
> checkItem       cLDAPou                         ou
> replyItem       rLDAPou                         ou

on dictionary.university:
> VENDOR Unicamp 12345
>
> BEGIN-VENDOR Unicamp
> ATTRIBUTE University-LDAP-departmentNumber 1 string
> ATTRIBUTE University-LDAP-affiliation 2 string
> ATTRIBUTE University-LDAP-organizationUnit 3 string
> END-VENDOR University

(the attributes, at least, are recognized correctly on the reply).

on the inner-tunnel configuration file::
>         post-auth {
>                 reply_log
>                 Post-Auth-Type REJECT {
>                         reply_log
>                 }
>                 redundant {
>                         sql-server1
>                         sql-server2
>                 }
>                 update outer.reply {
>                         User-Name := %{reply:User-Name}
>                         University-LDAP-departmentNumber := %{rLDAPdepartmentNumber}
>                 }

radiusd -v is:
> radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.0, built on Jan  9 2009 at 07:02:31


but unfortunately, something does not translate right: From that I've gathered running on radiusd -X, the relevant parts are:

- first, an error on rlm_ldap:
> ++- entering policy redundant {...}
> [ldap1] performing user authorization for user at university
> [ldap1]         expand: (eduPersonPrincipalName=%{User-Name}) -> (eduPersonPrincipalName=user at university)
> [ldap1]         expand: dc=university -> dc=university
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap1.university:389, authentication 0
> rlm_ldap: starting TLS
> rlm_ldap: bind as / to ldap1.university:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=university, with filter (eduPersonPrincipalName=user at university)
> [ldap1] checking if remote access for user at university is allowed by dialupAccess
> [ldap1] looking for check items in directory...
> rlm_ldap: Failed to create the pair: Invalid octet string "cc    " for attribute name "cLDAPou"
> rlm_ldap: Failed to create the pair: Invalid octet string "staff" for attribute name "cLDAPaffiliation"
> rlm_ldap: Failed to create the pair: Invalid octet string "20.5.2.4.0.0.0" for attribute name "cLDAPdepartmentNumber"
> rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
> [ldap1] looking for reply items in directory...
> rlm_ldap: Failed to create the pair: Invalid octet string "cc    " for attribute name "rLDAPou"
> rlm_ldap: Failed to create the pair: Invalid octet string "staff" for attribute name "rLDAPaffiliation"
> rlm_ldap: Failed to create the pair: Invalid octet string "20.5.2.4.0.0.0" for attribute name "rLDAPdepartmentNumber"
> WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
> [ldap1] Setting Auth-Type = LDAP
> [ldap1] user user at university authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> +++[ldap1] returns ok

- second: the reply's content is not getting translated right. Instead
of sending the content's of the variables, it just sends the variable
names outright:

> Sending Access-Accept of id 235 to xxx.xxx.xxx.xxx port 32783
>         User-Name = "%{reply:User-Name}"
>         University-LDAP-departmentNumber = "%{rLDAPdepartmentNumber}"
>         MS-MPPE-Recv-Key = blah
>         MS-MPPE-Send-Key = blah
>         EAP-Message = 0x03050004
>         Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 5.

So, the most important question is: how do i reference the content's of
the variables on the post-auth update section?

Second: what's causing the check and reply items not to get translated?
could this be an LDAP error or is there an error on the ldap.attrmap
file?

By the way, the authentication, authorization, everything is working
fine already (including the TTLS/PAP part).

Thanks in advance for any thoughts..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6701 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090305/a9e2caa6/attachment.bin>


More information about the Freeradius-Users mailing list