debug User-Profile

MichaelLeung gbcbooksmj at gmail.com
Fri Mar 18 07:07:32 CET 2016


i find this in wiki.freeradius.org


  LDAP ATTRIBUTES

In version 2, the mapping between RADIUS attributes 
<http://wiki.freeradius.org/protocol/Attributes> and LDAP 
<http://wiki.freeradius.org/protocol/LDAP> attributes is in 
raddb/ldap.attrmap. You can edit that file and add any new mapping that 
you may need. The LDAP-schema file is located in 
doc/RADIUS-LDAPv3.schema. Before adding any radius attributes the ldap 
server schema should be updated.

All ldap entries containing radius attributes should contain at least 
"objectclass: radiusprofile"

radiusCheckItem and radiusReplyItem are special. They allow the 
administrator to add any check or reply item respectively without adding 
it in the ldap schema. The format should be:

ldap-attribute: radius-attribute operator value

The version 3 attribute mapping is in the module configuration file 
|raddb/mods-available/ldap|

For Example:

radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"



but i dont understand , if we mapping the radius attr and ldap attr, 
then give it a values ,  why do we stored the replyitem in LDAP.


On 03/18/2016 01:46 PM, MichaelLeung wrote:
> does freeradius 3.0.4 still have ldap.attrmap ?
>
> On 03/18/2016 12:46 PM, MichaelLeung wrote:
>>  how can i get radiusReplyItem from LDAP?
>>
>> On 03/18/2016 09:25 AM, MichaelLeung wrote:
>>> any help ?
>>>
>>> On 03/17/2016 05:31 PM, MichaelLeung wrote:
>>>> any reply ?
>>>>
>>>> On 03/17/2016 03:20 PM, MichaelLeung wrote:
>>>>> well , i define a ldap-group check policy
>>>>>
>>>>> #
>>>>> devicemanager_check {
>>>>>         if (Ldap-Group == "DeviceManager") {
>>>>>                 update reply {
>>>>> &User-Profile := 
>>>>> "cn=DeviceManager,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
>>>>>                 }
>>>>>         }
>>>>>         elsif (Ldap-Group == "Device_Write") {
>>>>>                 update reply {
>>>>>                         &Reply-Message += "Welcome,Device Operator"
>>>>>                 }
>>>>>         }
>>>>>         elsif (Ldap-Group == "Device_Reivew") {
>>>>>                 update reply {
>>>>>                         &Reply-Message += "Welcome Device Reviewer"
>>>>>                 }
>>>>>         }
>>>>>         else {
>>>>>                 update reply {
>>>>>                         &Reply-Message += "you are not authorized 
>>>>> to access , please confirm that you have the permission..."
>>>>>                 }
>>>>>                 reject
>>>>>         }
>>>>> }
>>>>>
>>>>> i am not sure that user override the User-Profile or not.
>>>>>
>>>>>
>>>>> On 03/17/2016 10:56 AM, MichaelLeung wrote:
>>>>>> hi list
>>>>>>
>>>>>> my freeradius version is 3.0.4
>>>>>>
>>>>>> i have enabled ldap modules and the radius profile feature of it .
>>>>>>
>>>>>> and i need to check the user is in the speacific Ldap-Group, and 
>>>>>> assign the User-Profile which contain all radius Reply-Items in it .
>>>>>> so when my  NAS  try to authenticate , i can only  see radius -X 
>>>>>> responding :
>>>>>> (0) Sending Access-Accept packet to host 10.1.1.13 port 1812, 
>>>>>> id=96, length=0
>>>>>> (0)     User-Profile := 
>>>>>> 'cn=Device_Superior,ou=Admin,ou=Group,dc=gd,dc=abc,dc=com'
>>>>>> it was not going to print out what reply item the User-Profile 
>>>>>> contained.
>>>>>> and actually, i define the reply item as
>>>>>> Huawei-Exec-Privilege := "15"
>>>>>> it will give the highest admin right to the user belong to Group 
>>>>>> Device_Superior to Operate the Device .
>>>>>>
>>>>>> how can i debug the User-Profile?
>>>>>
>>>>
>>>
>>
>



More information about the Freeradius-Users mailing list