Hi,
Now with a new solution I also need to query a central ldap database for authorization info: I need to get a given attribute off of user records and present them to the NAS. I was pointing my finger at Filter-Id, but purely because the NAS docs points at it, it could really be anything.
You probably don't want to use Filter-ID. It has a pre-defined meaning. Using it for another purpose is bad.
Yes I got that, but the NAS (which is mainly a VPN concentrator) actually uses the value for assigning firewall rules to the user's session which is precisely what Filter-Id is for if I understand the rfc correctly. Due to the complexity of the nas, it also does other stuff based on this, but filter-id really is the closest in rfc 3850 (Probably this is why they are also pointing at this). However, I will check how hard it is extend with a vendor-specific instead.
However, when I then proxy the request these extra Filter-Ids are lost: they are neither proxied (which is just as well, I really don't know what would the homeserver do about it) nor are they sent in my reply. I've found traces of something like this being discussed that this is because there is a separate data structure, but that is over a decade old, and I'm a bit confused on how this supposed to work.
What you're *not* saying is that you're putting the Filter-ID into the
reply
list. That gets replaced by the reply from the home server.
If you want the attributes kept... put them in another list.
Actually I did ;) But for sure it's only because rlm_ldap either does that or onto the check list, thanks for the clarification.
Is there a way to keep does attributes (or to get them after proxying, either in post-proxy or post-auth maybe?) by using rlm_ldap?
No. Put the attributes into the "control" list. That's what it's for. Then, copy them to the reply in post-auth.
Currently I can't test, but do I understand correctly that rlm_ldap can't put things on the control list, but I could use unlang to copy the attributes from reply to control in authorize after ldap, then copy them back in post-auth? Thanks! tamas