Alan et al, Adding ldap.authorize to the post-auth section didn't seem to change anything except adding a "++[ldap.authorize] returns ok" to the logs Is there a preferred way to do this I can use in version 2.2.x? -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+clayton.knorr=nuspire.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, May 7, 2016 12:28 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Authorizing using LDAP attributes On May 6, 2016, at 1:25 PM, Clayton Knorr <clayton.knorr@nuspire.com> wrote:
Running radius 2.1.12 and Openldap (openldap just for testing at this point)
You should really upgrade... newer versions are a lot easier to configure.
Trying to solve a problem. Need to provide EAP authentication for wifi to many devices. The freeradius server will be hitting an LDAP directory which is not in my control. I need to be able to have conditional logic to allow only certain users with certain attributes in the LDAP directory connect to certain RADIUS clients. I don't control the LDAP directory so using groups or OUs is not an option. So for example if the ldap user has an attribute Location that equals "A1234" I only want them to connect to one or a subset of Aps/controllers.
OK...
I have gotten to the point where everything works for EAP, just the LDAP attributes mapping to RADIUS attributes is giving me fits.
That's good.
So I have a test ldap directory in which I have set users up with the attribute businessCategory set to A1000. I have added an entry to the main dictionary file: ATTRIBUTE My-Local-String 3000 string I have added a line to ldap.attrmap: checkItem My-Local-String businessCategory I have the following in my post-auth section in sites-enabled/default:
if ( Called-Station-Id == "AC-85-75-46-55-91:Peep" && My-Local-String == "A1000" ) { noop }
else { reject }
That should be fine.
Here are some logs from what happens when I try to log in: ... [ldap] looking for check items in directory... [ldap] businessCategory -> My-Local-String == "A1000" [ldap] userPassword -> Cleartext-Password == "password" [ldap] userPassword -> Password-With-Header == "password" [ldap] looking for reply items in directory... [ldap] user uuserton authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] return .....
One key thing to note is that there are multiple packets being exchanged. Pay attention to *which* packet this message is from.
# Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++? if (Called-Station-Id == "AC-85-75-46-55-91:Peep" && ++My-Local-String == "A1000" ) ? Evaluating (Called-Station-Id == "AC-86-74-46-65-91:Peep" ) -> TRUE (Attribute My-Local-String was not found) ? Evaluating (My-Local-String == "A1000" ) -> FALSE ++? if (Called-Station-Id == "AC-86-74-46-65-91:Peep" && ++My-Local-String == "A1000" ) -> FALSE ++- entering else else {...} +++[reject] returns reject ++- else else returns reject Using Post-Auth-Type Reject
That's most likely a *different* packet. Version 2 doesn't cache results across multiple packets. Version 3 can, if you want.
The baffling part is where it says "Attribute My-Local-String was not found." Am I completely barking up the wrong tree here? Is ldap.attrmap meant to be used for something completely different?
It works. In v2.1, you should just add "ldap.authorize" to the "post-auth" section, before your unlang checks. It's a hack, but it should work around this issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html