Referencing LDAP/AD attributes in post-auth section
I'm sorry for asking such a simple thing but I can't find any reference for FreeRadius3. I have been successfully using this functionality in Freeardius2, in the same manner as reported here: http://freeradius-users.freeradius.narkive.com/k46qBmbs/referencing-ldap-att... I've created a new ldap module inside mods-available/ldap to extract a specific ldap attribute (macAddress) from a specific ldap location ad reported here in rlm_ldap module documentation. ldap ldap_mac_auth { server = 'samba4.server.mynet.lan' identity = 'cn=administrator,cn=Users,dc=ad,dc=mynet,dc=lan' password = p4ss base_dn = 'ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan' update { reply:macAddress := 'macAddress' } user { base_dn = "${..base_dn}" filter = "(&(objectClass=computer)(managedBy=%{control:Ldap-UserDn}))" } } Then i'm calling it inside the authorize section of the default server. authorize { .. ldap ldap_mac_auth .. } In the post-auth section of the default server i'm applying the following control. post-auth { .. if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) { update reply { Tunnel-Private-Group-Id := 43 Tunnel-Medium-Type := "IEEE-802" Tunnel-Type := "VLAN" } } .. } Inside the dictionary file I've added the reference to that variable. ATTRIBUTE macAddress 3000 string During the authentication process I can see the ldap_auth_mac module running. (2) ldap_mac_auth: EXPAND (&(objectClass=computer)(managedBy=%{control:Ldap-UserDn})) (2) ldap_mac_auth: --> (&(objectClass=computer)(managedBy=CN\3dTest User\2cOU\3dStaff\2cOU\3dUsers\2cOU\3dMyNet\2cDC\3dad\2cDC\3dmynet\2cDC\3dlan)) (2) ldap_mac_auth: Performing search in "ou=WiFi,ou=Computers,ou=MyNet,dc=ad,dc=mynet,dc=lan" with filter "(&(objectClass=computer)(managedBy=CN\3dTest User\2cOU\3dStaff\2cOU\3dUsers\2cOU\3dMyNet\2cDC\3dad\2cDC\3dmynet\2cDC\3dlan))", scope "sub" (2) ldap_mac_auth: Waiting for search result... (2) ldap_mac_auth: User object found at DN "CN=MyNetbook,OU=WiFi,OU=Computers,OU=MyNet,DC=ad,DC=mynet,DC=lan" (2) ldap_mac_auth: Processing user attributes (2) ldap_mac_auth: reply:macAddress := '13-59-F3-A3-94-00' So, as you see, the macAddress ldap attribute is correctly mapped to the reply:macAddress variable. But at the end of the process, executing the post-auth section, this is the result: (10) post-auth { (10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) { (10) EXPAND %{reply:macAddress} (10) --> (10) EXPAND %{Calling-Station-Id} (10) --> 13-59-F3-A3-94-00 (10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) -> FALSE So the variable "reply:macAddress" couldn't correctly expanded. I'm using FreeRADIUS Version 3.0.12. Thanks in advance for your help.
(10) post-auth { (10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) { (10) EXPAND %{reply:macAddress} (10) --> (10) EXPAND %{Calling-Station-Id} (10) --> 13-59-F3-A3-94-00 (10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) -> FALSE
So the variable "reply:macAddress" couldn't correctly expanded.
Because you retrieved the value in request 2, and are using it in request 10.
I'm using FreeRADIUS Version 3.0.12.
The reply list is request specific, it doesn't carry between requests. You need to use the session-state list if you're doing EAP and want to build up a list of attributes for authorization. -Arran
It works! Thank you very much! 2016-08-03 18:51 GMT+02:00 Arran Cudbard-Bell <a.cudbardb@freeradius.org>:
(10) post-auth { (10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) { (10) EXPAND %{reply:macAddress} (10) --> (10) EXPAND %{Calling-Station-Id} (10) --> 13-59-F3-A3-94-00 (10) if ( "%{reply:macAddress}" == "%{Calling-Station-Id}" ) -> FALSE
So the variable "reply:macAddress" couldn't correctly expanded.
Because you retrieved the value in request 2, and are using it in request 10.
I'm using FreeRADIUS Version 3.0.12.
The reply list is request specific, it doesn't carry between requests.
You need to use the session-state list if you're doing EAP and want to build up a list of attributes for authorization.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all, On Wed, Aug 03, 2016 at 12:51:28PM -0400, Arran Cudbard-Bell wrote:
The reply list is request specific, it doesn't carry between requests.
You need to use the session-state list if you're doing EAP and want to build up a list of attributes for authorization.
in what version was introduced the session-state list? Any hope to have it in freeradius 2? Thanks, Enrico Polesel
On Thu, Aug 04, 2016 at 10:06:06AM +0200, Enrico Polesel wrote:
On Wed, Aug 03, 2016 at 12:51:28PM -0400, Arran Cudbard-Bell wrote:
The reply list is request specific, it doesn't carry between requests.
You need to use the session-state list if you're doing EAP and want to build up a list of attributes for authorization.
in what version was introduced the session-state list? Any hope to have it in freeradius 2?
FreeRADIUS 2 is obsolete and end-of-life. So, no. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (4)
-
Arran Cudbard-Bell -
Enrico Polesel -
Matthew Newton -
Stefano Pardini