Attr-Rewrite and Users File

Anja Ruckdaeschel Anja.Ruckdaeschel at rz.uni-regensburg.de
Wed Sep 30 20:22:00 CEST 2009 

Hi there!

Please help....


I´m doing a attr_rewrite with an attribute in the request:

attr_rewrite strip-vpn {
        attribute = Acct-Session-Id
        searchin = packet 
        searchfor = "^[^\(]+([\(])([^\)]+).+$"
        replacewith = %{2}
        new_attribute = no 
        max_matches = 1
        append = no 

}

Radius doing the rewrite seems okay to me...

[strip-vpn]     expand: ^[^(]+([(])([^)]+).+$ -> ^[^(]+([(])([^)]+).+$
[strip-vpn]     expand: %{2} -> test1
strip-vpn: Changed value for attribute Acct-Session-Id from
'abc00000(test1)"Mon Sep 28 13:34:40 2009"9XMBQBrh' to 'test1'
strip-vpn: Could not find value pair for attribute Acct-Session-Id
++[strip-vpn] returns ok

Later in the files modules I´d like to use the stripped value for checking
against an ldap-group:

DEFAULT User-Name =~ "^(\.*)([a-zA-Z]{3}[0-9]{5})", Huntgroup-Name == "test",
ldapgroups1-Ldap-Group=="cn=%{Acct-Session-Id},o=test,c=de"
   
So, if the user is a member of the group cn=test1,o=test,c=de he should get an
access-accept, else he should be rejected.

The FIRST request after RADIUS started it looks like this:

 expand: cn=%{Acct-Session-Id},o=test,c=de -> cn=test1,o=test,c=de 
rlm_ldap: Entering ldap_groupcmp()
...
rlm_ldap: performing search in cn=test1,o=test,c=de, with filter ....

and it´s working as it should be.

The next request from the same user but with test2 instead of test1 in the
request:

[strip-vpn]     expand: ^[^(]+([(])([^)]+).+$ -> ^[^(]+([(])([^)]+).+$
[strip-vpn]     expand: %{2} -> test2
strip-vpn: Changed value for attribute Acct-Session-Id from
'abc00000(test2)"Mon Sep 28 13:34:40 2009"9XMBQBrh' to 'test2'
strip-vpn: Could not find value pair for attribute Acct-Session-Id
++[strip-vpn] returns ok

Now radius doesn´t do the expansion like it did for the first request, but the
search in the group with the value used in the request before:

rlm_ldap: Entering ldap_groupcmp()
...
rlm_ldap: performing search in cn=test1,o=test,c=de, with filter ....

Is there some kind of caching or do I miss something?

Thank you very much
Anja










---------------------------------------------------------------------------------------------
Anja Ruckdäschel M.A.; Rechenzentrum der Universität Regensburg;
Universitätsstr.31; 93 053 Regensburg
Telefon: +49 941 943 4826
---------------------------------------------------------------------------------------------

More information about the Freeradius-Users mailing list