Check in users file using a string attribute obtained from ldap
Kostas Zorbadelos
kzorba at otenet.gr
Fri Dec 24 14:26:35 CET 2010
Greetings to all,
I am trying to accomplish the following setup:
- have freeradius query an ldap server to get the usual user entry with one
check and a few reply attributes
- have after that a users file, that based on the check attribute obtained
before by the ldap module make some processing (eg add a few common reply
attributes)
This is actually a "grouping" functionallity and I can accomplish what I want
using the Ldap-Group attribute, BUT I want to avoid the extra ldap queries.
So for example I have:
LDAP
----------
# kzorba, people, company.gr
dn: uid=kzorba1,ou=people,dc=company,dc=gr
objectClass: XXX
objectClass: YYY
radiusProfile: FOO_STATIC
Framed-IP-Address: 62.103.131.9
userPassword: XXXXXXX
sn: ZORBADELOS
uid: kzorba
...
ldap.attrmap
--------------
checkItem $GENERIC$ radiusCheckItem
replyItem $GENERIC$ radiusReplyItem
checkItem Ascend-Group radiusProfile
replyItem Framed-IP-Address Framed-IP-Address
replyItem Framed-Route Framed-Route
replyItem Filter-Id Filter-Id
And I want to have a users file that looks like this:
DEFAULT Ascend-Group =~ "STATIC"
Reply-Message = "Your account is Static."
Having the following authorize section in default
authorize {
preprocess
chap
mschap
ldap {
notfound = reject
}
files
pap
}
The checks fail.
I looked at the source code and from what I understood the ldap module puts
all check items in the so called control (or check list), while rlm_file makes
checks in the request list
So I figured that doing an unlang update request would solve the problem.
authorize {
preprocess
chap
mschap
ldap {
notfound = reject
}
update request {
Group = "%{control:Ascend-Group}"
}
files
pap
}
And in users file have a
DEFAULT Group =~ "STATIC"
Reply-Message = "Your account is Static."
However this also did not work.
Any help as to what am I missing here?
Thanks,
Kostas Zorbadelos
More information about the Freeradius-Users
mailing list