Attr-Rewrite and Users File
Hi there! Please help.... I´m doing a attr_rewrite with an attribute in the request: attr_rewrite strip-vpn { attribute = Acct-Session-Id searchin = packet searchfor = "^[^\(]+([\(])([^\)]+).+$" replacewith = %{2} new_attribute = no max_matches = 1 append = no } Radius doing the rewrite seems okay to me... [strip-vpn] expand: ^[^(]+([(])([^)]+).+$ -> ^[^(]+([(])([^)]+).+$ [strip-vpn] expand: %{2} -> test1 strip-vpn: Changed value for attribute Acct-Session-Id from 'abc00000(test1)"Mon Sep 28 13:34:40 2009"9XMBQBrh' to 'test1' strip-vpn: Could not find value pair for attribute Acct-Session-Id ++[strip-vpn] returns ok Later in the files modules I´d like to use the stripped value for checking against an ldap-group: DEFAULT User-Name =~ "^(\.*)([a-zA-Z]{3}[0-9]{5})", Huntgroup-Name == "test", ldapgroups1-Ldap-Group=="cn=%{Acct-Session-Id},o=test,c=de" So, if the user is a member of the group cn=test1,o=test,c=de he should get an access-accept, else he should be rejected. The FIRST request after RADIUS started it looks like this: expand: cn=%{Acct-Session-Id},o=test,c=de -> cn=test1,o=test,c=de rlm_ldap: Entering ldap_groupcmp() ... rlm_ldap: performing search in cn=test1,o=test,c=de, with filter .... and it´s working as it should be. The next request from the same user but with test2 instead of test1 in the request: [strip-vpn] expand: ^[^(]+([(])([^)]+).+$ -> ^[^(]+([(])([^)]+).+$ [strip-vpn] expand: %{2} -> test2 strip-vpn: Changed value for attribute Acct-Session-Id from 'abc00000(test2)"Mon Sep 28 13:34:40 2009"9XMBQBrh' to 'test2' strip-vpn: Could not find value pair for attribute Acct-Session-Id ++[strip-vpn] returns ok Now radius doesn´t do the expansion like it did for the first request, but the search in the group with the value used in the request before: rlm_ldap: Entering ldap_groupcmp() ... rlm_ldap: performing search in cn=test1,o=test,c=de, with filter .... Is there some kind of caching or do I miss something? Thank you very much Anja --------------------------------------------------------------------------------------------- Anja Ruckdäschel M.A.; Rechenzentrum der Universität Regensburg; Universitätsstr.31; 93 053 Regensburg Telefon: +49 941 943 4826 ---------------------------------------------------------------------------------------------
Do you mean the stripping part? --------------------------------------------------------------------------------------------- Anja Ruckdäschel M.A.; Rechenzentrum der Universität Regensburg; Universitätsstr.31; 93 053 Regensburg Telefon: +49 941 943 4826 ---------------------------------------------------------------------------------------------
"Ivan Kalik" <tnt@kalik.net> 01.10.2009 00:21 >>> DEFAULT User-Name =~ "^(\.*)([a-zA-Z]{3}[0-9]{5})", Huntgroup-Name == "test", ldapgroups1-Ldap-Group=="cn=%{Acct-Session-Id},o=test,c=de"
Use unlang instead. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Now I did it with unlang in the authorize section before the files module.... if (Acct-Session-Id) { if (Acct-Session-Id =~ /^[^\(]+([\(])([^\)]+).+$/ ) { update request { ldapgroups1-Ldap-Group := "cn=%{2},ou=vpn,ou=test,o=test,c=de" } update request { ldapgroups2-Ldap-Group := "cn=%{2},ou=vpn,ou=test,o=test,c=de" } } } and in the users file now: DEFAULT User-Name =~ "^(\.*)([a-zA-Z]{3}[0-9]{5})", Huntgroup-Name == "test", ldapgroups1-Ldap-Group=="%{ldapgroups1-Ldap-Group}" Same result. Stripping works. But expansion of %{ldapgroups1-Ldap-Group} happens only the first time after starting the server... On the second request it´s again the value of the first one. Any idea? Or did you mean something else??? Thanks for your help. Anja
"Ivan Kalik" <tnt@kalik.net> 01.10.2009 00:21 >>> DEFAULT User-Name =~ "^(\.*)([a-zA-Z]{3}[0-9]{5})", Huntgroup-Name == "test", ldapgroups1-Ldap-Group=="cn=%{Acct-Session-Id},o=test,c=de"
Use unlang instead. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Anja Ruckdaeschel wrote:
Now I did it with unlang in the authorize section before the files module....
if (Acct-Session-Id) { if (Acct-Session-Id =~ /^[^\(]+([\(])([^\)]+).+$/ ) {
update request { ldapgroups1-Ldap-Group := "cn=%{2},ou=vpn,ou=test,o=test,c=de"
The "ldapgroups1-Ldap-Group" attribute can *only* do comparisons. Assigning to it is not supported. And even if assigning to it was supported, the LDAP-Group attribute checks group *names*. It doesn't support LDAP queries like "cn=...,ou=..." Perhaps you could try to describe what you are trying to do. Describe it in terms of ideas, not pieces of configuration files. The configuration pieces you posted are wrong, and won't work. Alan DeKok.
Dear Alan! Thanks for your answer, but now it seems to work... But it would be nice, if you can tell me, if there is a better way to do this... What I tried to do, was this: I´m getting some profile-Information from a NAS embedded in some crytical string in the attribute Acct-Session-Id. To extract the profile name I do the stripping.... If the user is member of an ldap-group which cn matches with the profile-name the users should be accepted, else rejected... The groups are all in the same ou, so the whole group-dn is not needed.... If the profile name equals to "test_default" no ldap-group-check should be done only the "normal" named bind... The Auth-Request in this case is a simple one (no CHAP, MSCHAP, etc...) So, what I tried in the first place was some kind of "variable" group cn in the users file, but that didn´t work out as I posted earlier... Now I did it with (in default, authorize section): authorize { ... if (Acct-Session-Id) { if (Acct-Session-Id =~ /^[^\(]+([\(])([^\)]+).+$/ ) { update request { Acct-Session-Id := "%{2}" } } } ... if (User-Name =~ /^(\.*)([a-zA-Z]{3}[0-9]{5})/ && Huntgroup-Name == "test" ) { if (Acct-Session-Id != "test_default") { if (ldapgroups1-Ldap-Group == "cn=%{Acct-Session-Id},o=test,c=de" ) { update control { Auth-Type := LDAP } ok } else { reject } } #if it´s test_default, ignore ldap-group an do only the named bind else { update control { Auth-Type := LDAP } } } .... if (Huntgroup-Name != "test" ) { files } ... } I have a lot of things in the users file, so it should be left out only in this special case... Thank you very much... Anja
Alan DeKok <aland@deployingradius.com> 02.10.2009 20:33 >>> Anja Ruckdaeschel wrote: Now I did it with unlang in the authorize section before the files module....
if (Acct-Session-Id) { if (Acct-Session-Id =~ /^[^\(]+([\(])([^\)]+).+$/ ) {
update request { ldapgroups1-Ldap-Group := "cn=%{2},ou=vpn,ou=test,o=test,c=de"
The "ldapgroups1-Ldap-Group" attribute can *only* do comparisons. Assigning to it is not supported. And even if assigning to it was supported, the LDAP-Group attribute checks group *names*. It doesn't support LDAP queries like "cn=...,ou=..." Perhaps you could try to describe what you are trying to do. Describe it in terms of ideas, not pieces of configuration files. The configuration pieces you posted are wrong, and won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Anja Ruckdaeschel -
Ivan Kalik