LDAP group check not working with SQL expansion

Klara Mall klara.mall at kit.edu
Tue Jul 25 21:38:01 CEST 2017


Hi,

On 07/25/2017 08:08 PM, Arran Cudbard-Bell wrote:
> 
>> I've found a dirty workaround with an explicit LDAP lookup:
>>
>> w2vgroupcheck {
>>    if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
>>        # does realm exist?
>>        if("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
>>            update request {
>>                Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
>>                Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String-0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}"
>>            }
>>            # is user in group according to realm?
>>            if (&Tmp-String-1 != "") {
>>                update reply {
>>                    Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
>>                    Tunnel-Type := VLAN
>>                    Tunnel-Medium-Type := IEEE-802
>>                }
>>            }
>>            else {
>>                reject
>>            }
>>        }
>>        else {
>>            reject
>>        }
>>    }
>> }
> 
> Pushed a fix.  Could you test and see if it addresses your issue.
> 
> https://github.com/FreeRADIUS/freeradius-server/commit/e56048c98bfab25ae9453a52bbe6bcc02f20f515

Wonderful. I patched the freeradius version in Debian Stretch with it
and it works. :)

Thank you
Klara



More information about the Freeradius-Users mailing list