On 22 Jun 2015, at 16:22, Michael Ströder <michael@stroeder.com> wrote:
Arran Cudbard-Bell wrote:
On Jun 22, 2015, at 3:38 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
On Jun 22, 2015, at 3:25 PM, Michael Ströder <michael@stroeder.com> wrote:
HI!
Recently I appreciated very much that some LDAP clients send the Session Track Control [1] along with their LDAP requests. draft-wahl-ldap-session was written especially with RADIUS in mind. Any chance to see this implemented?
So, what would be the session identifier in the case of Authentication (which is when rlm_ldap is being called)?
Looks like it'd be username... Weird. I guess I can see the point.
Yes, I think so.
Are you sure OpenLDAP implements the server portion of this?
Yes!
I also make use of it in my web2ldap and in a password self-service application. It's nice to see the browser IP getting logged in syslog and even in the accesslog DB (when using slapo-accesslog).
OK. Get to testing. v3.1.x branch only. Be sure to run at least 10k requests through it to check for memory leaks. I can see the controls going out in wireshark, though it can't decode them. You need to set: ldap { options { session_tracking = yes } } Depending on what's present in the request it'll include multiple controls (as per the RFC), one for User-Name, one for Acct-Session-ID, and one for Acct-Multi-Session-ID. NAS-IP-Address/NAS-IPv6-Address is used at the IP address, and the progname configuration item is used as the service name. I think we should fix that (using progname), but it works for testing. Maybe some sort of ${EXEC} syntax to allow us to call hostname on startup, and write the result somewhere. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2