Preserve ldap attributes after proxy

Tamás Becz tamas.becz at ericsson.com
Fri Nov 7 17:02:57 CET 2014


Hi everyone,

I'm trying to wrap my head around this, digging in the archives and the wiki
with no luck, so I'm looking for a few pointers.

We are currently using freeradius to to proxy requests to a central
One-Time-password server (which is outside our control). This is purely
authentication, we send the cleartext token we received from the NAS, they
check and either reject or reply. (The only reason we do this is because the
upstream organization is not willing to deal with the administration of the
NASes and we've been asked to aggregate traffic)

Now with a new solution I also need to query a central ldap database for
authorization info: I need to get a given attribute off of user records and
present them to the NAS. I was pointing my finger at Filter-Id, but purely
because the NAS docs points at it, it could really be anything.

If I omit the proxy part, then it's just a straightforward ldap config with
adding the attribute as a reply Item mapped to Filter-ID in the ldap.attrmap
with +=, getting rid of reading the userPassword so that no one tries to
auth against the password there and enable ldap in the authorize section.

However, when I then proxy the request these extra Filter-Ids are lost: they
are neither proxied (which is just as well, I really don't know what would
the homeserver do about it) nor are they sent in my reply. I've found traces
of something like this being discussed that this is because there is a
separate data structure, but that is over a decade old, and I'm a bit
confused on how this supposed to work.

Is there a way to keep does attributes (or to get them after proxying,
either in post-proxy or post-auth maybe?) by using rlm_ldap? I could
probably write a short perl that queries this directly in post-auth, but
basically the reason I want to do this in radius instead of the NAS is
because I would need a mild hack on my networking to allow it to directly
reach the ldap, so I though that, the radius box can reach the ldap, it can
talk ldap, the nas is connected anyway.. But if it's troublesome with
radius, then I'd rather not hack it.

Does anyone have a pointer on what track should I go down?

Thanks!

tamas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5115 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141107/8bc6829d/attachment-0001.bin>


More information about the Freeradius-Users mailing list