LDAP group check not working with SQL expansion
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Jul 25 21:44:48 CEST 2017
> On Jul 25, 2017, at 3:38 PM, Klara Mall <klara.mall at kit.edu> wrote:
>
> Hi,
>
> On 07/25/2017 08:08 PM, Arran Cudbard-Bell wrote:
>>
>>> I've found a dirty workaround with an explicit LDAP lookup:
>>>
>>> w2vgroupcheck {
>>> if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
>>> # does realm exist?
>>> if("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
>>> update request {
>>> Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
>>> Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String-0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}"
>>> }
>>> # is user in group according to realm?
>>> if (&Tmp-String-1 != "") {
>>> update reply {
>>> Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
>>> Tunnel-Type := VLAN
>>> Tunnel-Medium-Type := IEEE-802
>>> }
>>> }
>>> else {
>>> reject
>>> }
>>> }
>>> else {
>>> reject
>>> }
>>> }
>>> }
>>
>> Pushed a fix. Could you test and see if it addresses your issue.
>>
>> https://github.com/FreeRADIUS/freeradius-server/commit/e56048c98bfab25ae9453a52bbe6bcc02f20f515
>
> Wonderful. I patched the freeradius version in Debian Stretch with it
> and it works. :)
Excellent, thanks for confirming!
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170725/a1b60c33/attachment-0001.sig>
More information about the Freeradius-Users
mailing list