Alan DeKok a écrit :
Matthieu Lazaro wrote:
Here is the content of a packet received by radiusd:
Weird, but OK.
Futhermore, to reply to Alan about the radiusUserCategory, it is given with the radius.schema for ldap. Is it a useless attribute then?
Yes.
I'll be checking this afternoon and testing about putting more info in ldap.attrmap to see if the filters work.
See also doc/rlm_ldap. This *is* documented.
Alan DeKok.
When filling the ldap.attrmap, here is what I get: Info: [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details Info: [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=bobalice) Info: [ldap] expand: dc=testbed,dc=lan -> dc=testbed,dc=lan Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Debug: rlm_ldap: performing search in dc=testbed,dc=lan, with filter (uid=bobalice) Info: [ldap] checking if remote access for bobalice is allowed by radiusTunnelPrivateGroupId Info: [ldap] Added User-Password = in check items Info: [ldap] No default NMAS login sequence Info: [ldap] looking for check items in directory... Debug: rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "34" Debug: rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802 Debug: rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN Debug: rlm_ldap: userPassword -> User-Password == " " Debug: rlm_ldap: radiusNASIpAddress -> NAS-IP-Address == 10.1.1.2 Debug: rlm_ldap: sambaNtPassword -> NT-Password == Debug: rlm_ldap: sambaLmPassword -> LM-Password == Debug: rlm_ldap: ntPassword -> NT-Password == Debug: rlm_ldap: lmPassword -> LM-Password == Debug: rlm_ldap: radiusCallingStationId -> Calling-Station-Id == "00-15-42-7a-82-b4" Info: [ldap] looking for reply items in directory... Info: [ldap] user bobalice authorized to use remote access Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Info: ++[ldap] returns ok The thing is, it is just READING the ldap content.... and not comparing to what the NAS is sending. Tunnel-Private-Group-Id:0 == "34" actually I logged in using Tunnel-Private-Group-Id:0 == "1" . I tried to add those check in the users file, but it didn't work. I read the rlm_ldap manual, and it's not talking about those types of attributes.... So I'm wondering where to tell radius: "compare the ldap attributes with what the NAS sent you, and if anything is different, reject the packet". I guess that I'll have to wait this is resolved before trying to have radius putting the user in the proper vlan. (doing things in the right order???) Regards, Matt