Logging the return code from the ldap authentication to SQL.

Augusto G. Andreollo guto at ccuec.unicamp.br
Mon Mar 16 15:55:06 CET 2009


Hello all.

I have the need to log the return code from the LDAP authentication to
our database (I'm adding it to the postauth table scheme).

I've already modified the database scheme (ok), the attribute map, to
create a new attribute called "reason" (ok) and the insert queries (ok).
All of this is working fine, including the complete authentication, all
the way thru Access-Accept and Accounting. 

My problem now is getting the return code into the variable, according
to the LDAP module results.

I've made two attempts so far, and neither gave me too much success:

First, with a series of IFs and ELSIFs:

       authenticate {
               Auth-Type LDAP {
                       redundant {
                               ldap1
                               ldap2
                       }
                       if (rejected) {
                               update control {
                                       reason = "rejected"
                               }
                       }
                       elsif (fail) {
                               update control {
                                       reason = "fail"
                               }
                       }
                       elsif (notfound) {
                               update control {
                                       reason = "not found"
                               }
                       }
                       elsif (ok) {
                               update control {
                                       reason = "ok"
                               }
                       }
                       else {
                               update control {
                                       reason = "ERROR"
                               }
                       }
               }
       }

Which gives:

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap1] user user at university authenticated succesfully
+++[ldap1] returns ok
++- policy redundant returns ok
++? if (rejected)
? Evaluating (rejected) -> TRUE
++? if (rejected) -> TRUE
++- entering if (rejected) {...}
+++[control] returns ok
++- if (rejected) returns ok
++ ... skipping elsif for request 0: Preceding "if" was taken
++ ... skipping elsif for request 0: Preceding "if" was taken
++ ... skipping elsif for request 0: Preceding "if" was taken
++ ... skipping else for request 0: Preceding "if" was taken
+- entering group post-auth {...}

(and then it goes on to successfuly add the string "rejected" to the
database. Again, that part is working smoothly).

My second attempt was with a switch statement, as follows: 

        authenticate {
                Auth-Type LDAP {
                        redundant {
                                ldap1
                                ldap2
                        }

                        switch "%{control:rcode}" {
                                case ok {
                                        update control {
                                                reason = "ok"
                                        }
                                }
                                case rejected {
                                        update control {
                                                reason = "rejected"
                                        }
                                }
                                case notfound {
                                        update control {
                                                reason = "notfound"
                                        }
                                }
                                case fail {
                                        update control {
                                                reason = "fail"
                                        }
                                }
                                case {
                                        update control {
                                                reason = "ERROR"
                                        }
                                }
                        }

                }
        }

Which gives me the following (Again, I've skipped what I believe to be
unneeded):

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap1] user user at university.com authenticated succesfully
+++[ldap1] returns ok
++- policy redundant returns ok
	expand: %{control:rcode} -> 
++- entering switch %{control:rcode} {...}
+++- entering case  {...}
++++[control] returns ok
+++- case  returns ok
++- switch %{control:rcode} returns ok
+- entering group post-auth {...}

And then goes to successfully write "ERROR" the database.

(to save room, i've already tried encasing the case options in quotes,
as 'rejected', 'ok', etc.. that gives me the exact same results. So does
putting it on double quotes, as "ok", "rejected", etc..)

So, any ideas?

btw:
$ radiusd -v
radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.0,
built on Jan  9 2009 at 07:02:31


-- 
Augusto G. Andreollo
CCUEC/DCNET/SREDE
Universidade Estadual de Campinas - UNICAMP
+55 19 3521-2276
    --  "Wit beyond measure is men's greatest treasure."




More information about the Freeradius-Users mailing list