VLan affect based on ldap attribute freeradius v3

jehan procaccia int jehan.procaccia at int-evry.fr
Thu Aug 30 22:55:08 CEST 2018


My reponses below

Le 30/08/2018 à 19:32, Matthew Newton a écrit :
> On Thu, 2018-08-30 at 19:06 +0200, jehan procaccia INT wrote:
>> 2) running radiusd -X I do see the ldap query and attribute returned
>> correclty
>>
>> rlm_ldap (prod): Reserved connection (3)
>> (41) prod: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>> (41) prod:    --> (uid=teststud)
>>
>> ...
>>
>> (41) prod: Processing user attributes
>> (41) prod: control:Password-With-Header += '{CRYPT}secretaoSOObH1'
>> (41) prod: control:NT-Password += secret3735323731
>> (41) prod: reply:Reply-Message := 'faculty'
>> (41) prod: reply:*User-Category += 'faculty'*
>> rlm_ldap (prod): Released connection (3)
>> (41)       [prod] = updated
> OK
>
>>        *  if (*( reply:UserCategory == "employee") ||
>> (reply:*UserCategory == "faculty"*) || (reply:UserCategory == "staff"
>> )
>>>> (reply:UserCategory == "researcher") || (reply:UserCategory ==
>> "member")) {
>>                  update reply {
>>                          Tunnel-Private-Group-Id :=*903*
>>                  }
> Use &reply:User-Category, etc
I did that , but still fails with now the error :

(30)       if (( &reply:User-Category == "employee") || 
(&reply:User-Category == "faculty") || (&reply:User-Category == "staff" 
) || (&reply:User-Category == "researcher") || (&reply:User-Category == 
"member")) {
(30) *ERROR: Failed retrieving values required to evaluate condition*
(30)       elsif ( (&reply:User-Category == "student" ) || 
(&reply:User-Category == "affiliate") ) {
(30)       ERROR: Failed retrieving values required to evaluate condition
(30)       else {
(30)         update reply {
(30)           Tunnel-Private-Group-Id := 902

then it is still not clear wether my attribute is named User-Category or 
UserCategory (without "-") !?
and what's the difference between reply and &reply ?
from 
https://wiki.freeradius.org/config/run_time_variables#attributes-as-environment-variables-in-executed-programs 

I see that "-" should be replaced by "_" , but that's for shell rlm_exec 
not rlm_ldap ?

now if I set in vlanaffect.conf

  if (( *&*reply:UserCategory == "employee") || (*&reply:UserCategory* 
== "faculty") || (*&*reply:UserCategory == "staff" ) || 
(*&*reply:UserCategory == "researcher") || (*&*reply:UserCategory == 
"member")) {
                 update reply {
                         Tunnel-Private-Group-Id := 903

radiusd -X fails on :
/} # server default//
///etc/raddb/sites-enabled/../vlanaffect.conf[3]: Unknown attribute 
'UserCategory'/

in  mods-available/ldap I have the following mapping

ldap prod {
  update {
  reply:User-Category                     += 'eduPersonPrimaryAffiliation'

should (can ?) I rename :User-Category to :UserCategory here ?
>
>
>> is there a way to print the value of the an attribute to check it's
>> *name* and*value* ?
> debug_reply
where do you set that ? I  do see in  policy.d/debug

debug_reply {
         if("%{debug_attr:reply:}" == '') {
                 noop
         }
does it mean it is set alredy ?
>
> If it's not there... is this the same RADIUS packet? e.g. you set
> User-Category in one packet, and then checking it again in the next packet. If so, use the session-state: list instead of reply:.
I use eduroam with peap mschapv2 (inner-tunnel) , maybe different radius 
packets are involved, it would be in my vlanaffec script that I would 
change reply with session-state ?

thanks .
>
>> I am confused by the attribute name itself, you might have noticed in
>> my
>> vlanaffect.conf I use UserCategory but in ldap module it is named
>> User*-*Category (note the - between User and Category) ! It is so
>> because if in vlanaffect.conf I name it occordingly to ldap module
>> (User*-*Category) strangely I get Errors in runing radiusd -X :
> If you use different names for the attribute then it's not going to
> work...
>
> Try with the & before the attribute name.
>



More information about the Freeradius-Users mailing list