Personalizing ldap filters from users file
Hello, I have freeradius (2.2.0) using ldap as backend for user information. This radius server is used by different applications to authenticate and authorize users. I want now to use different ldap filters for different applications. In LDAP I'm using SCHAC schema and schacUserStatus is a multivalue attribute (in URN format) indicating services that the user has enabled or disabled in the way: dn: uid=user,<basedn> uid: user schacUserStatus: <urn prefix>:dovecot:enabled schacUserStatus: <urn prefix>:eduroam:enabled schacUserStatus: <urn prefix>:vpn:disabled ... What I want is to define ldap filter as: ldap { ... filter = "(&(mail=%{User-Name})(schacUserStatus=<urn prefix>: %{X-Atica-Service}:enabled))" ... } where "X-Atica-Service" is a private attribute (of type string) I have defined in dictionary, and this attribute is defined in users file for the each with something like: DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es User-Name := `%{User-Name}`, Fall-Through = No But this does not work. As I have a virtual server for each service radius is authenticating I don't mind defining this attribute in virtual server configuration. What I want to avoid is to define different ldap modules differing just the filter. Any idea? -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337
On 11/19/2012 09:48 AM, Angel L. Mateo wrote:
ldap { ... filter = "(&(mail=%{User-Name})(schacUserStatus=<urn prefix>: %{X-Atica-Service}:enabled))" ... }
DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es User-Name := `%{User-Name}`, Fall-Through = No
But this does not work.
It's important to understand how the "users" file works. The line you've written above says: set "X-Actica-Service" to "vpn" in the "control" items if it's not already set (= operator) set "Auth-Type" to "LDAP" in the "control" items if it's not already set (= operatgor) *if* Realm == um.es and then set "User-Name" to "%{User-Name}" on the "reply" items *always* (:= operator) set "Fall-Through" to "No" in the "reply" items if it's not already set (= operator) So, any variable you set on that first line goes in the control items, so must be referred to there. Either modify your LDAP filter to reference: "...%{control:X-Actica-Service}..." ...or better yet, convert the logic to an "unlang" stanza which is more flexible and more explicit / less "magic", hence easier to understand, *and* lets you set variables in any list. Like so: authorize { ... if (Realm == um.es) { update request { X-Actica-Service = "..." } } else { ... } ldap } Also: I note you are setting "Auth-Type". This is almost always wrong, and almost certainly so in your case. Correct config of the LDAP module should mean you don't need to set Auth-Type, and it's usually harmful to do so. If it's not causing you a problem it's probably because you're using the "=" rather than ":=" operator. Cheers, Phil
El 19/11/12 11:17, Phil Mayers escribió:
On 11/19/2012 09:48 AM, Angel L. Mateo wrote:
ldap { ... filter = "(&(mail=%{User-Name})(schacUserStatus=<urn prefix>: %{X-Atica-Service}:enabled))" ... }
DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es User-Name := `%{User-Name}`, Fall-Through = No
But this does not work.
It's important to understand how the "users" file works. The line you've written above says:
set "X-Actica-Service" to "vpn" in the "control" items if it's not already set (= operator)
set "Auth-Type" to "LDAP" in the "control" items if it's not already set (= operatgor)
*if* Realm == um.es
and then
set "User-Name" to "%{User-Name}" on the "reply" items *always* (:= operator)
set "Fall-Through" to "No" in the "reply" items if it's not already set (= operator)
So, any variable you set on that first line goes in the control items, so must be referred to there.
Either modify your LDAP filter to reference:
"...%{control:X-Actica-Service}..."
...or better yet, convert the logic to an "unlang" stanza which is more flexible and more explicit / less "magic", hence easier to understand, *and* lets you set variables in any list. Like so:
authorize { ... if (Realm == um.es) { update request { X-Actica-Service = "..." } } else { ... }
ldap }
Thank you, this way it works.
Also: I note you are setting "Auth-Type". This is almost always wrong, and almost certainly so in your case. Correct config of the LDAP module should mean you don't need to set Auth-Type, and it's usually harmful to do so. If it's not causing you a problem it's probably because you're using the "=" rather than ":=" operator.
It works for me. Maybe it's because I don't use ldap in authorize, but just in: authenticate { Auth-Type LDAP { ldap } } I don't know the real cause of this (I have inherited this configuration from an old config I didn't do it. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337
participants (2)
-
Angel L. Mateo -
Phil Mayers