Questions about ldap authentication, huntgroup and authorize file

Thu Oct 12 16:52:27 CEST 2017

Hello Alan,

Le 10/10/2017 à 21:37, Alan DeKok a écrit :
> On Oct 10, 2017, at 12:00 PM, Jérôme BERTHIER <Jerome.Berthier at inria.fr> wrote:
>> [...]
>    Yes, that should work.  Tho there's no need to check the Huntgroup-Name over and over again.  You could just do:
>
>     if (Huntgroup-Name == "JuniperNet") {
> 	if (Ldap-Group == "ldap_group_1") {
>          	update reply {
> 			Service-Type = Login
>                          Juniper-Local-User-Name := "radius-admin"
>                  }
> 	}
> 	elsif (Ldap-Group == "ldap_group_1") {
>                 update reply {
> 			Service-Type = Login
>                          Juniper-Local-User-Name := "radius-operator"
>                  }
> 	}
> 	else {
> 		reject
> 	}
>     }
>
>    That seems a lot clearer.

Yes thanks you
but as far as I see, this syntax does not work inside the file authorize.
I took a look to the man page rlm_files. I notive that the variable for 
cistron compatibility is not set to no. I tried to fix it. It does not 
change anything.
Did you point th unlang syntax in order to use it in other file like the 
default site file ?

>
>> Do you mean that I need to setup one module file for each ldap server ?
>    If the LDAP servers are different, yes.
>
>    Your previous message mentioned multiple LDAP instances.  So... do you have multiple instances or not?

Yes
I used to list all ldap servers in the same file ldap in the directory 
of mods (a single file for all ldap servers).

>
>> In the file authorize, I tried to use this attribute associated to each ldap server listed in the module file ldap.
>> For example :
>> DEFAULT     myldap1-Ldap-Group=="ldap_group_1" , Huntgroup-Name == JuniperNet
>>              Service-Type = Login,
>>              Juniper-Local-User-Name := "radius-admin"
>>
>> then radiusd does not start because the attribute is unknown :
>>
>> /etc/raddb/mods-config/files/authorize[229]: Parse error (check) for entry DEFAULT: Unknown attribute "myldap1-Ldap-Group"
>> Failed reading /etc/raddb/mods-config/files/authorize
>> /etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"
>    Do you have an LDAP module which has:
>
> 	ldap myldap1 {
> 		...
> 	}
>
>    ?

Yes
I tried to create a specific module file for a specific ldap instance 
myldap1 then I called it in the file authorize.

In both cases, the module authorize is not validated for starting radiusd :
/etc/raddb/mods-config/files/authorize[228]: Parse error (check) for 
entry DEFAULT: Unknown attribute "myldap1-Ldap-Group"
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"

>
>    Again, see the comments in raddbs/mods-available/ldap.  Or the Wiki.  This is all documented.

I read it again.
I understand that it is possible to use specific ldap instance and to 
call it to parse group using <myldap>-Ldap-Group but it seems that it is 
not supported in the file authorize.

I guess it should be used in the post auth section.

Thanks you very much

Regards,
-- 

Jérôme BERTHIER
DSI - SESI - Equipe Conception
Inria Bordeaux - Sud-Ouest
+ 33 5 24 57 40 50

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3670 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20171012/c9a95813/attachment-0001.bin>