rlm_ldap with pre and post proxy
Hello I was wondering if there would be any complaints if the PRE_PROXY and POST_PROXY methods in the rlm_ldap module were added to call mod_authorize in rlm_ldap.c extern module_t rlm_ldap; module_t rlm_ldap = { .magic = RLM_MODULE_INIT, .name = "ldap", .inst_size = sizeof(rlm_ldap_t), .config = module_config, .bootstrap = mod_bootstrap, .instantiate = mod_instantiate, .detach = mod_detach, .methods = { [MOD_AUTHENTICATE] = mod_authenticate, [MOD_AUTHORIZE] = mod_authorize, [MOD_ACCOUNTING] = mod_accounting, [MOD_POST_AUTH] = mod_post_auth, #ifdef WITH_PROXY [MOD_PRE_PROXY] = mod_authorize, [MOD_POST_PROXY] = mod_authorize, #endif }, }; As that means I can inject some extra VSA's in a Access-Accept back to the Client. I'm currently rebuilding a hosted Radius Proxy service that sends a very stripped down list of attributes to the end customer which rlm_attr_filter deals nicely to in pre-proxy, but based on the accept I want to inject a whole lot of L2TP realm specific VSAs before the response goes back to the NAS that the end customer has no idea of. I had thought if I had added in the valuepair_attribute I could add proxy-reply: but in the authorize section I get an error as it's invalid in this context: (1) ldap: control:Proxy-To-Realm := "Group1" (1) ldap: WARNING: List "proxy-reply" is not available (1) ldap: ERROR: Mapping "L2TP" -> "proxy-reply:Tunnel-Type:2" invalid in this context (1) ldap: WARNING: Failed adding "proxy-reply:Tunnel-Type:2 = L2TP" to request, skipping... But in post-proxy it's happy with that attribute: (1) # Executing section post-proxy from file /appl/freeradius/30x/etc/raddb/sites-enabled/default (1) post-proxy { rlm_ldap (ldap): Reserved connection (3) (1) ldap: EXPAND (cn=%{Realm}) (1) ldap: --> (cn=customer) (1) ldap: Performing search in "o=identities" with filter "(cn=customer)", scope "sub" (1) ldap: Waiting for search result... (1) ldap: User object found at DN "cn=customer,ou=Realms,ou=Proxy,o=Identities" (1) ldap: Processing user attributes (1) ldap: control:Proxy-To-Realm := "Group1" (1) ldap: proxy-reply:Tunnel-Type:2 = L2TP Adding the MOD_PRE/POST_PROXY works for me pointing to mod_authorize, but not sure it's generally an acceptable way to achieve it. Cheers Peter
On 17 Aug 2015, at 22:45, Peter Lambrechtsen <peter@crypt.co.nz> wrote:
Hello
I was wondering if there would be any complaints if the PRE_PROXY and POST_PROXY methods in the rlm_ldap module were added to call mod_authorize
Just use ldap.authorize (section override) in the virtual server. If you *really* want to be able to call ldap in post-proxy, you can also do policy { ldap.post-proxy { ldap.authorize # Special magic post-proxy things } } And then post-proxy { ldap } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (2)
-
Arran Cudbard-Bell -
Peter Lambrechtsen