Multi-valued LDAP attribute configuration

Winfield, Alister Alister.Winfield at sky.uk
Wed Sep 13 17:14:06 CEST 2017 

Do the LDAP query using the command line tool “ldapsearch”.

If you really have a multi-valued attribute with the right value(s) it should work.

I’d expect to see something like:


dn: cn=foo,dc=bar,dc=com
cn: foo
userServices: 00:01:02:03:04:05
userServices: 0a:0b:0c:0d:0e:0f
userServices: aa:bb:cc:dd:ee:ff
objectClass: ….
…

In the output of the command line search.

Alister


On 13/09/2017, 12:26, "Freeradius-Users on behalf of Srinivasa R" <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on behalf of srinivasa.r at icts.res.in> wrote:

    Hi Peter,


    On Wed, Sep 13, 2017 at 2:51 AM, Peter Lambrechtsen <peter at crypt.nz> wrote:

    > What you should do a ldap query based on the incoming MAC address:
    >
    >         user {
    >                 filter = "(userServices=%{User-Name})"
    >
    > Assuming the User-Name is the MAC address of the incoming client. The
    > "userServices" I assume is the multi-valued attribute in your ldap
    > directory.
    >
    > I have tried this, but it checking for the first value only and accepting
    only for the first filed value out of three.



    > Then if you get a response you know the record exists, otherwise it doesn't
    > and reject the request.
    >
    >
    >
    > On Wed, Sep 13, 2017 at 4:36 AM, Steffen Klemer <steffen.klemer at gwdg.de>
    > wrote:
    >
    > > Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R
    > > <srinivasa.r at icts.res.in>:
    > >
    > > > I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and
    > > > configured the external authentication with 389-DS server using
    > > > rlm_ldap module. I would like to authenticate the mac address of all
    > > > the user which I have stored in LDAP. The macaddress field in LDAP is
    > > > a multi value attribute and the Freeraiud is communicating with LDAP
    > > > without any issues, but the freeradius is authenticating only the
    > > > first macaddress value from LDAP's multi value field.
    > > >
    > > > I would like to configure the Freeradius to authenticate all the
    > > > values from multi value filed. Someone suggested that we can
    > > > configure this using rlm_python or rlm_perl module. I am not a coder
    > > > and I am not able to find any step by guide to configure the same.
    > > > Could someone guide me on how to configure the Freeradius to
    > > > authenticate Multi-valued LDAP attribute?
    > >
    > > I used unlang features to implement sth. like this. I think you can
    > > adapt it to your use case.
    > >
    > >
    > > In the LDAP module I have sth like
    > >
    > > update {
    > >   request:gwdg-user-services += 'userServices'
    > > }
    > >
    > > where userServices is multi-valued and sometimes included
    > > 'eduroamNotAllowed'
    > >
    > >
    > > In the site I check against all occurrences:
    > >
    > > if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) {
    > > ...
    > > }
    > >
    > >
    > > lg
    > > /Steffen
    > >
    > > --
    > > Steffen Klemer                     E-Mail: Steffen.Klemer at gwdg.de
    > >                                    Tel:    +49 551 201 2170
    > >
    > > ------------------------------------------------------------------
    > > GWDG - Gesellschaft für wissenschaftliche
    > > Datenverarbeitung mbH Göttingen
    > > Am Faßberg 11, 37077 Göttingen
    > >
    > > Service-Hotline:
    > > Tel:    +49 551 201-1523
    > > E-Mail: support at gwdg.de
    > >
    > > Kontakt:
    > > Tel:    0551 201-1510
    > > Fax:    0551 201-2150
    > > E-Mail: gwdg at gwdg.de
    > > WWW:    https://www.gwdg.de
    > > ------------------------------------------------------------------
    > > Geschäftsführer:           Prof. Dr. Ramin Yahyapour
    > > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger
    > > Sitz der Gesellschaft:     Göttingen
    > > Registergericht: Göttingen, Handelsregister-Nr. B 598
    > > ------------------------------------------------------------------
    > > Zertifiziert nach ISO 9001
    > > ------------------------------------------------------------------
    > >
    > > -
    > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
    > > list/users.html
    > >
    > -
    > List info/subscribe/unsubscribe? See http://www.freeradius.org/
    > list/users.html
    >


    Regards,
    --

    Srinivas R
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of Sky plc and Sky International AG and are used under licence.

Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

More information about the Freeradius-Users mailing list