debug User-Profile

MichaelLeung gbcbooksmj at gmail.com
Fri Mar 18 10:25:59 CET 2016


there are more

in the LDAP server
in your  profile store dn
1.add a radiusprofile objectclass
2.add radiusProfiledn
set its values with its own dn
3.add radiusReplyItem attribute
add the first value:
Reply-Message += "Welcome administrator %{User-Name}"
add the second value:
Huawei-Exec-Privilege := 15

and then
valuepair_attribute = "radiusReplyItem" this setting will retrieve 
radiusReplyItem's values and add to raidius reply section.



that all.

On 03/18/2016 05:05 PM, MichaelLeung wrote:
> hope this could he more people
>
> On 03/18/2016 04:55 PM, MichaelLeung wrote:
>> finially, i config out how it works
>>
>> first, edit mods-available/ldap
>> in global section
>> add:
>>
>> valuepair_attribute = "radiusReplyItem"
>>
>> in profile section
>> uncommecnt and change the default values
>> profile {
>>     default = "%{control:User-Profile}"
>> }
>>
>> go to policy.d/ directory
>> create a policy , whatever your name it
>> whatevername {
>>     if (Ldap-Group == "groupname in LDAP, or DN") {
>>         update {
>>             $control:User-Profile == "profile dn in LDAP"
>>         }
>>         updated
>>     }
>>     else {
>>         reject
>>     }
>> }
>>
>> go to site-available/ directory
>>
>> edit the virtual server you want
>>
>> in the authorize section
>>
>> add the policy in to it
>>
>>
>>
>>
>>
>> On 03/18/2016 02:07 PM, MichaelLeung wrote:
>>> i find this in wiki.freeradius.org
>>>
>>>
>>>   LDAP ATTRIBUTES
>>>
>>> In version 2, the mapping between RADIUS attributes 
>>> <http://wiki.freeradius.org/protocol/Attributes> and LDAP 
>>> <http://wiki.freeradius.org/protocol/LDAP> attributes is in 
>>> raddb/ldap.attrmap. You can edit that file and add any new mapping 
>>> that you may need. The LDAP-schema file is located in 
>>> doc/RADIUS-LDAPv3.schema. Before adding any radius attributes the 
>>> ldap server schema should be updated.
>>>
>>> All ldap entries containing radius attributes should contain at 
>>> least "objectclass: radiusprofile"
>>>
>>> radiusCheckItem and radiusReplyItem are special. They allow the 
>>> administrator to add any check or reply item respectively without 
>>> adding it in the ldap schema. The format should be:
>>>
>>> ldap-attribute: radius-attribute operator value
>>>
>>> The version 3 attribute mapping is in the module configuration file 
>>> |raddb/mods-available/ldap|
>>>
>>> For Example:
>>>
>>> radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
>>>
>>>
>>> but i dont understand , if we mapping the radius attr and ldap attr, 
>>> then give it a values ,  why do we stored the replyitem in LDAP.
>>>
>>>
>>> On 03/18/2016 01:46 PM, MichaelLeung wrote:
>>>> does freeradius 3.0.4 still have ldap.attrmap ?
>>>>
>>>> On 03/18/2016 12:46 PM, MichaelLeung wrote:
>>>>>  how can i get radiusReplyItem from LDAP?
>>>>>
>>>>> On 03/18/2016 09:25 AM, MichaelLeung wrote:
>>>>>> any help ?
>>>>>>
>>>>>> On 03/17/2016 05:31 PM, MichaelLeung wrote:
>>>>>>> any reply ?
>>>>>>>
>>>>>>> On 03/17/2016 03:20 PM, MichaelLeung wrote:
>>>>>>>> well , i define a ldap-group check policy
>>>>>>>>
>>>>>>>> #
>>>>>>>> devicemanager_check {
>>>>>>>>         if (Ldap-Group == "DeviceManager") {
>>>>>>>>                 update reply {
>>>>>>>> &User-Profile := 
>>>>>>>> "cn=DeviceManager,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
>>>>>>>>                 }
>>>>>>>>         }
>>>>>>>>         elsif (Ldap-Group == "Device_Write") {
>>>>>>>>                 update reply {
>>>>>>>>                         &Reply-Message += "Welcome,Device Operator"
>>>>>>>>                 }
>>>>>>>>         }
>>>>>>>>         elsif (Ldap-Group == "Device_Reivew") {
>>>>>>>>                 update reply {
>>>>>>>>                         &Reply-Message += "Welcome Device Reviewer"
>>>>>>>>                 }
>>>>>>>>         }
>>>>>>>>         else {
>>>>>>>>                 update reply {
>>>>>>>>                         &Reply-Message += "you are not 
>>>>>>>> authorized to access , please confirm that you have the 
>>>>>>>> permission..."
>>>>>>>>                 }
>>>>>>>>                 reject
>>>>>>>>         }
>>>>>>>> }
>>>>>>>>
>>>>>>>> i am not sure that user override the User-Profile or not.
>>>>>>>>
>>>>>>>>
>>>>>>>> On 03/17/2016 10:56 AM, MichaelLeung wrote:
>>>>>>>>> hi list
>>>>>>>>>
>>>>>>>>> my freeradius version is 3.0.4
>>>>>>>>>
>>>>>>>>> i have enabled ldap modules and the radius profile feature of it .
>>>>>>>>>
>>>>>>>>> and i need to check the user is in the speacific Ldap-Group, 
>>>>>>>>> and assign the User-Profile which contain all radius 
>>>>>>>>> Reply-Items in it .
>>>>>>>>> so when my  NAS  try to authenticate , i can only see radius 
>>>>>>>>> -X responding :
>>>>>>>>> (0) Sending Access-Accept packet to host 10.1.1.13 port 1812, 
>>>>>>>>> id=96, length=0
>>>>>>>>> (0)     User-Profile := 
>>>>>>>>> 'cn=Device_Superior,ou=Admin,ou=Group,dc=gd,dc=abc,dc=com'
>>>>>>>>> it was not going to print out what reply item the User-Profile 
>>>>>>>>> contained.
>>>>>>>>> and actually, i define the reply item as
>>>>>>>>> Huawei-Exec-Privilege := "15"
>>>>>>>>> it will give the highest admin right to the user belong to 
>>>>>>>>> Group Device_Superior to Operate the Device .
>>>>>>>>>
>>>>>>>>> how can i debug the User-Profile?
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>



More information about the Freeradius-Users mailing list