Hi all, I am using FR 2.1.11 and I try to implement access_attr & access_attr_used_for_allow with rlm_ldap. modules/ldap.conf : .... access_attr = inetUserStatus access_attr_used_for_allow = yes compare_check_items = no do_xlat = yes set_auth_type = yes ... Inside our OpenLDAP, the attribute is inetUserStatus, whose value can be(active/inactive). According to rlm_ldap docs, this should be a boolean (yes/no/TRUE/FALSE). At the moment, access is granted if inetUserStatus is set to active as well as if inetUserStatus is set to inactive, I suppose because FR does not interpred those values as TRUE/yes or FALSE/no .. As I cannot act on ldap server side, (many other applications already uses this attribute value pair) Is there any way to have this working on freeradius side ? Is it necessary to ldap.attrmap this attribute to use this feature ? Could I (for example) update the attribute recovered from ldap during author and change inactive to FALSE or active to TRUE ? debug extract : Fri Sep 23 12:54:05 2011 : Info: [ldap] performing user authorization for user_sps Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: %{Stripped-User-Name} -> Fri Sep 23 12:54:05 2011 : Info: [ldap] ... expanding second conditional Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: %{User-Name} -> user_sps Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user_sps) Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: dc=corp,dc=toto,dc=com -> dc=corp,dc=toto,dc=com Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] attempting LDAP reconnection Fri Sep 23 12:54:05 2011 : Debug: [ldap] (re)connect to 10.49.64.25:389, authentication 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] bind as cn=syncuser,dc=toto,dc=com/L?JHLjvk to 10.49.64.25:389 Fri Sep 23 12:54:05 2011 : Debug: [ldap] waiting for bind result ... Fri Sep 23 12:54:05 2011 : Debug: [ldap] Bind was successful Fri Sep 23 12:54:05 2011 : Debug: [ldap] performing search in dc=corp,dc=toto,dc=com, with filter (uid=user_sps) Fri Sep 23 12:54:05 2011 : Info: [ldap] checking if remote access for user_sps is allowed by inetUserStatus Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for check items in directory... Fri Sep 23 12:54:05 2011 : Debug: [ldap] userPassword -> Password-With-Header == "{SSHA}SnrchnIFWrKzn+nOzZem4YjMjRqHiavi" Fri Sep 23 12:54:05 2011 : Debug: [ldap] ntPassword -> NT-Password == 0x7305108b06d9839d8530b917307803e9 Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for reply items in directory... Fri Sep 23 12:54:05 2011 : Info: [ldap] Setting Auth-Type = LDAP Fri Sep 23 12:54:05 2011 : Info: [ldap] user user_sps authorized to use remote access Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0 Fri Sep 23 12:54:05 2011 : Info: ++[ldap] returns ok Fri Sep 23 12:54:05 2011 : Info: [files] users: Matched entry user_sps at line 1 Fri Sep 23 12:54:05 2011 : Info: ++[files] returns ok Best regards, Fred MAISON
Hi all, After some more reading of rlm_ldap code, I saw that a static comparison is made with "FALSE" to detect disabled access, which is fairly limitative ... Here is a rlm_ldap small patch I have tested with 2.1.12pre, which allow to configure arbitrary deny value for access_attr. Config parameter exposed in ${config}/modules/ldap is access_attr_deny_value. default value is "FALSE" as before, so if access_attr is dialupAccess && dialupAccess == "FALSE" in the ldap database, user is rejected. This is usefull for example to use inetUserStatus as access_attr, because common values for this attributes are [active|inactive] ldap module sample config : access_attr = inetUserStatus access_attr_deny_value = "inactive" access_attr_used_for_allow = yes I don't think Alan will accept to commit this change for 2.1.12 one day before it's out, but let's try ! ####################################### char *access_attr; char *access_attr_deny_value; char *passwd_hdr; ..... * Access limitations */ /* LDAP attribute name that controls remote access */ {"access_attr", PW_TYPE_STRING_PTR, offsetof(ldap_instance,access_attr), NULL, NULL}, {"access_attr_used_for_allow", PW_TYPE_BOOLEAN, offsetof(ldap_instance,default_allow), NULL, "yes"}, {"access_attr_deny_value", PW_TYPE_STRING_PTR, offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"}, {"chase_referrals", PW_TYPE_BOOLEAN, offsetof(ldap_instance,chase_referrals), NULL, NULL}, {"rebind", PW_TYPE_BOOLEAN, offsetof(ldap_instance,rebind), NULL, NULL}, ..... /* Remote access is controled by attribute of the user object */ if (inst->access_attr) { if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) { if (inst->default_allow){ RDEBUG("checking if remote access for %s is allowed by %s", request->username->vp_strvalue, inst->access_attr); if (!strncmp(vals[0], inst->access_attr_deny_value, sizeof(inst->access_attr_deny_value))) { RDEBUG("dialup access disabled"); ..... ###################### Best regards, Fred 2011/9/23 Fred <fred.maison@gmail.com>:
Hi all,
I am using FR 2.1.11 and I try to implement access_attr & access_attr_used_for_allow with rlm_ldap. modules/ldap.conf : .... access_attr = inetUserStatus access_attr_used_for_allow = yes compare_check_items = no do_xlat = yes set_auth_type = yes ...
Inside our OpenLDAP, the attribute is inetUserStatus, whose value can be(active/inactive). According to rlm_ldap docs, this should be a boolean (yes/no/TRUE/FALSE). At the moment, access is granted if inetUserStatus is set to active as well as if inetUserStatus is set to inactive, I suppose because FR does not interpred those values as TRUE/yes or FALSE/no ..
As I cannot act on ldap server side, (many other applications already uses this attribute value pair) Is there any way to have this working on freeradius side ? Is it necessary to ldap.attrmap this attribute to use this feature ? Could I (for example) update the attribute recovered from ldap during author and change inactive to FALSE or active to TRUE ?
debug extract : Fri Sep 23 12:54:05 2011 : Info: [ldap] performing user authorization for user_sps Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: %{Stripped-User-Name} -> Fri Sep 23 12:54:05 2011 : Info: [ldap] ... expanding second conditional Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: %{User-Name} -> user_sps Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user_sps) Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: dc=corp,dc=toto,dc=com -> dc=corp,dc=toto,dc=com Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] attempting LDAP reconnection Fri Sep 23 12:54:05 2011 : Debug: [ldap] (re)connect to 10.49.64.25:389, authentication 0 Fri Sep 23 12:54:05 2011 : Debug: [ldap] bind as cn=syncuser,dc=toto,dc=com/L?JHLjvk to 10.49.64.25:389 Fri Sep 23 12:54:05 2011 : Debug: [ldap] waiting for bind result ... Fri Sep 23 12:54:05 2011 : Debug: [ldap] Bind was successful Fri Sep 23 12:54:05 2011 : Debug: [ldap] performing search in dc=corp,dc=toto,dc=com, with filter (uid=user_sps) Fri Sep 23 12:54:05 2011 : Info: [ldap] checking if remote access for user_sps is allowed by inetUserStatus Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for check items in directory... Fri Sep 23 12:54:05 2011 : Debug: [ldap] userPassword -> Password-With-Header == "{SSHA}SnrchnIFWrKzn+nOzZem4YjMjRqHiavi" Fri Sep 23 12:54:05 2011 : Debug: [ldap] ntPassword -> NT-Password == 0x7305108b06d9839d8530b917307803e9 Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for reply items in directory... Fri Sep 23 12:54:05 2011 : Info: [ldap] Setting Auth-Type = LDAP Fri Sep 23 12:54:05 2011 : Info: [ldap] user user_sps authorized to use remote access Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0 Fri Sep 23 12:54:05 2011 : Info: ++[ldap] returns ok Fri Sep 23 12:54:05 2011 : Info: [files] users: Matched entry user_sps at line 1 Fri Sep 23 12:54:05 2011 : Info: ++[files] returns ok
Best regards,
Fred MAISON
participants (1)
-
Fred