authorize an user using a multivalue ldap attribute
Hello, I have a string attribute named Relaciones in my ldap. This attribute can have more than one value. Actually I return those values in the reply: Sending Access-Accept of id 229 to X.X.X.X port 32796 Relaciones += "-11" Relaciones += "03" Relaciones += "-01" I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes "Relaciones" whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if ("%{reply:Relaciones}" =~ /^([0-9]{2})/) { } Thanks very much, and sorry for my english. -- ____________________ Ana Gallardo Gómez ____________________
Hello again, I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796 Relaciones += "-11" Relaciones += "03" Relaciones += "-01"
I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes "Relaciones" whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign.
if ("%{reply:Relaciones}" =~ /^([0-9]{2})/) {
}
maybe I can check the value with a check item: #cat /etc/freeradius/ldap.attrmap checkItem NT-Password ntPassword checkItem Relaciones Relaciones ~= /^([0-9]{2})/ replyItem Nombre-Completo sn replyItem Relaciones Relaciones += anyway i test both ideas, but don't work: [ldap] looking for check items in directory... [ldap] ntPassword -> NT-Password == 0x3... [ldap1] looking for reply items in directory... [ldap1] Relaciones -> Relaciones += "-11" [ldap1] Relaciones -> Relaciones += "03" [ldap1] Relaciones -> Relaciones += "-01" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user XXX authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 ++++[ldap1] returns ok ++++? if (fail) ? Evaluating (fail) -> FALSE ++++? if (fail) -> FALSE ++++- entering else else {...} +++++? if ("%{reply:Relaciones}" =~ /^([0-9]{2})/) expand: %{reply:Relaciones} -> -11 ? Evaluating ("%{reply:Relaciones}" =~ /^([0-9]{2})/) -> FALSE +++++? if ("%{reply:Relaciones}" =~ /^([0-9]{2})/) -> FALSE ++++- else else returns ok any ideas? thank you very much. ____________________ Ana Gallardo Gómez ____________________
Ana Gallardo wrote:
I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes "Relaciones" whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign.
if ("%{reply:Relaciones}" =~ /^([0-9]{2})/) {
You can't really do that with "unlang". I suggest using the perl module. Alan DeKok.
Hello Alan, and thank you for your response. You can't really do that with "unlang". I suggest using the perl module.
I flow your suggestion and write this: # cat /etc/freeradius/perl/checkRelaciones.pm use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; use constant RLM_MODULE_REJECT=> 0;# /* immediately reject the request */ use constant RLM_MODULE_OK=> 2;# /* the module is OK, continue */ sub authorize { my $attr; my $valor; while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){ if ($valor =~ /^([0-9]{2})/) { return RLM_MODULE_OK; } } return RLM_MODULE_REJECT; } and I use this in authorize section: authorize{ ... files ... perl expiration ... } but, when I try to run freeradius in debug mode: ... perl { module = "/etc/freeradius/perl/checkRelaciones.pm" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 So, I think thah I need to upgrade or something like this. Thank you again. ____________________ Ana Gallardo Gómez ____________________
On 22/10/10 13:16, Ana Gallardo wrote:
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36
You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) -- ---------------------------- Jonathan Gazeley Systems Support Specialist ResNet | Wireless & VPN Team Information Services University of Bristol ----------------------------
On 10/22/10 6:25 AM, Jonathan Gazeley wrote:
On 22/10/10 13:16, Ana Gallardo wrote:
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36
You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :)
Conversely, you could comment out/remove the "use Data::Dumper" line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. -- Kevin Ehlers Network Engineer University of Oregon
Thank you very much for your responses. Conversely, you could comment out/remove the "use Data::Dumper" line
since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc.
Ok, Kevin, I don't use Data::Dumper and I can run Freeradius with my perl module. My problem is with the hashes that rlm_perl provide to my script ¡rlm_perl add in the reply hash an attribute Relaciones with the value of the attribute Nombre-Completo, and also add Nombre-Completo! Debug: [ldap1] performing user authorization for ana [ldap1] expand: %{Stripped-User-Name} -> ana [ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=ana) ... [ldap1] looking for check items in directory... [ldap1] ntPassword -> NT-Password == 0x35... [ldap1] looking for reply items in directory... [ldap1] Relaciones -> Relaciones += "01" [ldap1] sn -> Nombre-Completo = "ana" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ana authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 ++++[ldap1] returns ok ... rlm_perl: Added pair User-Name = ana rlm_perl: Added pair User-Password = 1111 rlm_perl: Added pair Intentos-Reject = 1 rlm_perl: Added pair SQL-User-Name = ana rlm_perl: Added pair Stripped-User-Name = ana rlm_perl: Added pair Calling-Station-Id = xxx rlm_perl: Added pair Nombre-Completo = ana rlm_perl: Added pair Relaciones = 01 *rlm_perl: Added pair Relaciones = ana* rlm_perl: Added pair NT-Password = 0x35... rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Ldap-UserDn = ... Than you ____________________ Ana Gallardo Gómez ____________________
participants (4)
-
Alan DeKok -
Ana Gallardo -
Jonathan Gazeley -
Kevin Ehlers