LDAP draft-wahl-ldap-session

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jun 23 06:45:43 CEST 2015


> On 22 Jun 2015, at 16:22, Michael Ströder <michael at stroeder.com> wrote:
> 
> Arran Cudbard-Bell wrote:
>> 
>>> On Jun 22, 2015, at 3:38 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>>> 
>>> 
>>>> On Jun 22, 2015, at 3:25 PM, Michael Ströder <michael at stroeder.com> wrote:
>>>> 
>>>> HI!
>>>> 
>>>> Recently I appreciated very much that some LDAP clients send the Session Track
>>>> Control [1] along with their LDAP requests. draft-wahl-ldap-session was
>>>> written especially with RADIUS in mind. Any chance to see this implemented?
>>> 
>>> So, what would be the session identifier in the case of Authentication (which is when rlm_ldap is being called)?
>> 
>> Looks like it'd be username... Weird.
>> I guess I can see the point.
> 
> Yes, I think so.
> 
>> Are you sure OpenLDAP implements the server portion of this?
> 
> Yes!
> 
> I also make use of it in my web2ldap and in a password self-service
> application. It's nice to see the browser IP getting logged in syslog and even
> in the accesslog DB (when using slapo-accesslog).

OK. Get to testing. v3.1.x branch only. Be sure to run at least 10k requests through it
to check for memory leaks.

I can see the controls going out in wireshark, though it can't decode them.

You need to set:

ldap {
	options {
		session_tracking = yes
	}
}

Depending on what's present in the request it'll include multiple controls (as per the RFC),
one for User-Name, one for Acct-Session-ID, and one for Acct-Multi-Session-ID.

NAS-IP-Address/NAS-IPv6-Address is used at the IP address, and the progname configuration item
is used as the service name.

I think we should fix that (using progname), but it works for testing.

Maybe some sort of ${EXEC} syntax to allow us to call hostname on startup, and write the result
somewhere.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150623/e46d5ff7/attachment-0001.sig>


More information about the Freeradius-Users mailing list