Variables' content as a reply

tnt at kalik.net tnt at kalik.net
Fri Mar 6 03:02:11 CET 2009


>I've been trying unsuccessfully to get this setup to work, but unfortunately haven't been able so far.
>
>My need is to return the contents of three LDAP fields as replies on the Access-Accept package.
>
>The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM Cookbook -- DJ 5.1.5,3).
>My config is as follows:
>
>on ldap.attrmap:
>> checkItem       cLDAPdepartmentNumber           departmentNumber
>> replyItem       rLDAPdepartmentNumber           departmentNumber
>> checkItem       cLDAPaffiliation                eduPersonPrimaryAffiliation
>> replyItem       rLDAPaffiliation                eduPersonPrimaryAffiliation
>> checkItem       cLDAPou                         ou
>> replyItem       rLDAPou                         ou
>

Where does the cookbook say that you should put that in ldap.attrmap?
Where are those radius attributes defined? Some additional dictionary?

>on dictionary.university:
>> VENDOR Unicamp 12345
>>
>> BEGIN-VENDOR Unicamp
>> ATTRIBUTE University-LDAP-departmentNumber 1 string
>> ATTRIBUTE University-LDAP-affiliation 2 string
>> ATTRIBUTE University-LDAP-organizationUnit 3 string
>> END-VENDOR University
>

Why don't you map those in ldap.attrmap.

>(the attributes, at least, are recognized correctly on the reply).
>
>on the inner-tunnel configuration file::
>>         post-auth {
>>                 reply_log
>>                 Post-Auth-Type REJECT {
>>                         reply_log
>>                 }
>>                 redundant {
>>                         sql-server1
>>                         sql-server2
>>                 }
>>                 update outer.reply {
>>                         User-Name := %{reply:User-Name}
>>                         University-LDAP-departmentNumber := %{rLDAPdepartmentNumber}
>>                 }

That should be:

                         User-Name := '%{reply:User-Name}'
                         University-LDAP-departmentNumber :=
'%{rLDAPdepartmentNumber}'

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list