rlm_ldap & access_attr

Fred fred.maison at gmail.com
Fri Sep 23 15:10:40 CEST 2011 

Hi all,

I am using FR 2.1.11 and I try to implement  access_attr &
access_attr_used_for_allow with rlm_ldap.
modules/ldap.conf :
....
access_attr = inetUserStatus
access_attr_used_for_allow    = yes
compare_check_items = no
do_xlat = yes
set_auth_type = yes
...

Inside our  OpenLDAP, the attribute is inetUserStatus, whose value can
be(active/inactive).
According to rlm_ldap docs, this should be a boolean (yes/no/TRUE/FALSE).
At the moment, access is granted if inetUserStatus is set to active as well
as if inetUserStatus is set to inactive, I suppose  because FR does not
interpred those values as TRUE/yes or FALSE/no ..

As I cannot act on ldap server side, (many other applications already uses
this attribute value pair) Is there any way to have this working on
freeradius side  ?
Is it necessary to ldap.attrmap this attribute to use this feature ?
Could I (for example) update the attribute recovered from ldap during author
and change inactive to FALSE or active to TRUE ?

debug extract :
Fri Sep 23 12:54:05 2011 : Info: [ldap] performing user authorization for
user_sps
Fri Sep 23 12:54:05 2011 : Info: [ldap]         expand:
%{Stripped-User-Name} ->
Fri Sep 23 12:54:05 2011 : Info: [ldap]         ... expanding second
conditional
Fri Sep 23 12:54:05 2011 : Info: [ldap]         expand: %{User-Name} ->
user_sps
Fri Sep 23 12:54:05 2011 : Info: [ldap]         expand:
(uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user_sps)
Fri Sep 23 12:54:05 2011 : Info: [ldap]         expand:
dc=corp,dc=toto,dc=com -> dc=corp,dc=toto,dc=com
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] attempting LDAP reconnection
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] (re)connect to 10.49.64.25:389,
authentication 0
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] bind as
cn=syncuser,dc=toto,dc=com/L?JHLjvk to 10.49.64.25:389
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] waiting for bind result ...
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] Bind was successful
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] performing search in
dc=corp,dc=toto,dc=com, with filter (uid=user_sps)
Fri Sep 23 12:54:05 2011 : Info: [ldap] checking if remote access for
user_sps is allowed by inetUserStatus
Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for check items in
directory...
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] userPassword ->
Password-With-Header == "{SSHA}SnrchnIFWrKzn+nOzZem4YjMjRqHiavi"
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] ntPassword -> NT-Password ==
0x7305108b06d9839d8530b917307803e9
Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for reply items in
directory...
Fri Sep 23 12:54:05 2011 : Info: [ldap] Setting Auth-Type = LDAP
Fri Sep 23 12:54:05 2011 : Info: [ldap] user user_sps authorized to use
remote access
Fri Sep 23 12:54:05 2011 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Fri Sep 23 12:54:05 2011 : Info: ++[ldap] returns ok
Fri Sep 23 12:54:05 2011 : Info: [files] users: Matched entry user_sps at
line 1
Fri Sep 23 12:54:05 2011 : Info: ++[files] returns ok


Best regards,

Fred MAISON
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110923/49cfe140/attachment.html>

More information about the Freeradius-Users mailing list