freeradius 3.0.13 LDAP - reply custom Vendor Specific
Paweł Cituk
pawelcit at gmail.com
Thu Nov 30 16:34:27 CET 2017
In dictionary I have added:
ATTRIBUTE I 5003 string
ATTRIBUTE H 5004 string
And section in mods-available/ldap looks like this:
#
# Post-Auth can modify LDAP objects too
#
post-auth {
update {
description := "Authenticated at %S"
}
update reply {
H = "4"
I = "4"
}
}
I run : radiusd -Xxxx and login using IPMI
Thu Nov 30 16:28:37 2017 : Debug: rlm_ldap (ldap): Reserved connection (1)
Thu Nov 30 16:28:37 2017 : Debug: (0) ldap: Login attempt by "user1"
Thu Nov 30 16:28:37 2017 : Debug: (0) ldap: Using user DN from request
"uid=user1,cn=users,cn=accounts,dc=company,dc=com"
Thu Nov 30 16:28:37 2017 : Debug: (0) ldap: Waiting for bind result...
Thu Nov 30 16:28:37 2017 : Debug: (0) ldap: Bind successful
Thu Nov 30 16:28:37 2017 : Debug: (0) ldap: Bind as user
"uid=user1,cn=users,cn=accounts,dc=company,dc=com" was successful
Thu Nov 30 16:28:37 2017 : Debug: rlm_ldap (ldap): Released connection (1)
Thu Nov 30 16:28:37 2017 : Debug: (0) modsingle[authenticate]: returned
from ldap (rlm_ldap)
Thu Nov 30 16:28:37 2017 : Debug: (0) [ldap] = ok
Thu Nov 30 16:28:37 2017 : Debug: (0) } # Auth-Type LDAP = ok
Thu Nov 30 16:28:37 2017 : Debug: (0) # Executing section post-auth from
file /etc/raddb/sites-enabled/default
Thu Nov 30 16:28:37 2017 : Debug: (0) post-auth {
Thu Nov 30 16:28:37 2017 : Debug: (0) update {
Thu Nov 30 16:28:37 2017 : Debug: (0) No attributes updated
Thu Nov 30 16:28:37 2017 : Debug: (0) } # update = noop
Thu Nov 30 16:28:37 2017 : Debug: (0) modsingle[post-auth]: calling
exec (rlm_exec)
Thu Nov 30 16:28:37 2017 : Debug: (0) modsingle[post-auth]: returned
from exec (rlm_exec)
Thu Nov 30 16:28:37 2017 : Debug: (0) [exec] = noop
Thu Nov 30 16:28:37 2017 : Debug: (0) policy
remove_reply_message_if_eap {
Thu Nov 30 16:28:37 2017 : Debug: (0) if (&reply:EAP-Message &&
&reply:Reply-Message) {
Thu Nov 30 16:28:37 2017 : Debug: (0) if (&reply:EAP-Message &&
&reply:Reply-Message) -> FALSE
Thu Nov 30 16:28:37 2017 : Debug: (0) else {
Thu Nov 30 16:28:37 2017 : Debug: (0) modsingle[post-auth]: calling
noop (rlm_always)
Thu Nov 30 16:28:37 2017 : Debug: (0) modsingle[post-auth]:
returned from noop (rlm_always)
Thu Nov 30 16:28:37 2017 : Debug: (0) [noop] = noop
Thu Nov 30 16:28:37 2017 : Debug: (0) } # else = noop
Thu Nov 30 16:28:37 2017 : Debug: (0) } # policy
remove_reply_message_if_eap = noop
Thu Nov 30 16:28:37 2017 : Debug: (0) } # post-auth = noop
Thu Nov 30 16:28:37 2017 : Debug: (0) Sent Access-Accept Id 0 from
10.10.11.11:1812 to 10.10.12.95:2048 length 0
Thu Nov 30 16:28:37 2017 : Debug: (0) Finished request
Thu Nov 30 16:28:37 2017 : Debug: Waking up in 4.9 seconds.
Thu Nov 30 16:28:42 2017 : Debug: (0) Cleaning up request packet ID 0 with
timestamp +11
Thu Nov 30 16:28:42 2017 : Info: Ready to process requests
Should I see my custom attributes in this output?
2017-11-30 16:09 GMT+01:00 Matthew Newton <mcn at freeradius.org>:
> On Thu, 2017-11-30 at 15:56 +0100, Paweł Cituk wrote:
> >
> > I try to authenticate IPMI server trough freeradius but it require
> > two
> > custom attributes (Vendor Specfic) ie for admin H=4 and I=4.
> >
> > How should I configure freeradius to reply for every request with
> > custom
> > above attributes (without adding them in the ldap schema)
>
> Use unlang in the post-auth section to add reply attributes, e.g.
>
> update reply {
> Attribute-1 = "value1"
> Attribute-2 = "value2"
> }
>
> If the attributes aren't already in the supplied FreeRADIUS dictionary
> files then you'll need to add them to raddb/dictionary.
>
> --
> Matthew
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list