How to return Filter-ID attribute value for the users in Active Directory?

suggestme suggest_me at hotmail.com
Thu Jan 19 19:21:04 CET 2012


Hi, 

I tried to return the value of Filter-ID as:

authorize { 
   ... 
   ldap 

     if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) { 
         update control { 
              Tmp-String-1 := "%{1}" 
     } 
   } 
   ... 
} 

post-auth { 
     update reply { 
     Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}" 
   } 
} 

In my active directory I have the attribute named "distinguishedName" which
I am using inside "if" statement. If I use "Ldap-UserDN" attribute inside
"if" statement (as suggested) it says: "No attribute named Ldap-UserDN".

*Example*: In Active Directory "distinguishedName" attribute for the user is
listed as: 

CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com


But, when I run in debug mode I see: while checking the "if" condition; it
shows:

++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/)
? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE

*Why this "if" condition is being evaluated as FALSE?*
And it returns the post-auth value as:

Filter-Id = "Enterasys:version=1:policy=" 
 
It doesn't return anything as: staff, administrators, etc for policy.

The part of debug mode output and radtest are as shown below:

##Debug mode output:
#radiusd -X :

rad_recv: Access-Request packet from host 127.0.0.1 port 43666, id=225,
length=80
        User-Name = "test"
        User-Password = "hello"
        NAS-IP-Address = IP Address
        NAS-Port = 0
        Message-Authenticator = 0x8ab06794e7069587309aa626d315269e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[ldap] performing user authorization for test
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> test
[ldap]  expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=test)
[ldap]  expand: dc=example,dc=com -> dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to server.example.com:389, authentication 0
  [ldap] bind as
cn=test,ou=Staff,ou=Employees,ou=Users,dc=example,dc=com/hello to
server.example.com:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=example,dc=com, with filter
(sAMAccountName=test)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user test authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/)
? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE
++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = LDAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "test" with password "hello"
[ldap] user DN: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com
  [ldap] (re)connect to server.example.com:389, authentication 1
  [ldap] bind as
CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com/hello to
server.example.com:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user test authenticated succesfully
++[ldap] returns ok
Login OK: [test] (from client localhost port 0)
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
        expand: Enterasys:version=1:policy=%{control:Tmp-String-1} ->
Enterasys:version=1:policy=
++[reply] returns noop
++[exec] returns noop
Sending Access-Accept of id 225 to 127.0.0.1 port 43666
        Filter-Id = "Enterasys:version=1:policy="
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 225 with timestamp +8
Ready to process requests.


##radtest output:
#radtest test hello localhost 0 testing123
Sending Access-Request of id 225 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "hello"
        NAS-IP-Address = IP Address
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=225,
length=49
        Filter-Id = "Enterasys:version=1:policy="


Please correct me If I am doing something wrong. 


Thanks,




--
View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5158499.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list