Preserve ldap attributes after proxy

Tamás Becz tamas.becz at ericsson.com
Mon Nov 10 13:17:34 CET 2014 

Hi,

> Tamás Becz wrote:
> > Yes I got that, but the NAS (which is mainly a VPN concentrator)
> > actually uses the value for assigning firewall rules to the user's
> > session which is precisely what Filter-Id is for if I understand the rfc
> correctly.
> 
>   OK... you didn't say that originally.  Knowing that helps.
> 

Yes, I originally intended to provide that only as background information to help set the context for understanding of what I want to do with ldap. I've drawn the line at a bad place with deciding how much info to put in there. Sorry about it.

> > Currently I can't test, but do I understand correctly that rlm_ldap
> > can't put things on the control list, but I could use unlang to copy
> > the attributes from reply to control in authorize after ldap, then
> > copy them back in post-auth?
> 
>   Yes.
> 

I've done some testing. At this point I think it is important to mention that I'm at 2.1.12. While I made it work, I found some gotchas.

If I do:
authorize {
	...
	ldap
	update control {
		Filter-Id += "%{reply:Filter-Id}"
	}
	...
}
post-auth {
	...
	 update reply {
		Filter-Id += "%{control:Filter-Id}"
	}
	...
}

Then it's all good until there are multiple attributes, in which case only the first one gets copied (which is all according to the docs). I see that on the 3.x version unlang has been extended with foreach, but is my understanding correct that on the 2.x branch this can't be done with unlang? I see that there's no loop control, but maybe I missed a mass copy operator?

I can fix it with perl however:
authorize {
	...
	ldap
	update control {
		Filter-Id := "%{reply:Filter-Id[*]}"
	}
	...
}
post-auth {
	...
	 update reply {
		Filter-Id := "%{control:Filter-Id}"
	}
	perl
	...
}

Perl:
sub post_auth {
        if ($RAD_REPLY{"Filter-Id"}) {
                my @blown = split(/\\n/,$RAD_REPLY{"Filter-Id"});
                $RAD_REPLY{"Filter-Id"} =  \@blown;
                return RLM_MODULE_UPDATED;
                }
        else {
                return RLM_MODULE_OK;
        }
}

However I don't see a way in rlm_perl for directly touching control, so I have to keep unlang around, which is ok, but if I got to call perl anyway then I might as well skip unlang if possible. Is there a way to do that?

Thanks!

tamas

More information about the Freeradius-Users mailing list