Referencing LDAP attributes in post-auth
Hello, I'm sorry for asking such a simple(?) thing, but my lack of understanding is not due to a lack of reading, searching, trial-and-error... I just can't seem to figure out how to reference an ldap attribute in post-auth. Using freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for authorization works great. As an added functionality, I need to send to the NAS a few extra attributes based on an an ldap attribute "personType". I've added mapping for this attribute, and here's a snippet of the debug output from the authorize section of the virtual server: ... [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] personType -> Person-Type = "employee" [ldap] personType -> Person-Type = "fulltime" [ldap] personType -> Person-Type = "it" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user tadam authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ... How do I reference this attribute in a perl script I call from post-auth? It's not in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK... Actually, I can't even figure out how to call it from the post-auth section itself.. I've tried different things, but I'm thinking the following should work: update reply{ Reply-Message := "Type: %{reply:Person-Type}." } Yet, I get: ... +- entering group post-auth {...} expand: Type: %{reply:Person-Type}. -> Type: . ++[reply] returns noop ... Is there something else I need to do to make sure the values returned from the ldap module are saved for reference outside the authorization block? A.
I'm just guessing, and could be WAY off, but may be an inner-tunnel vs. outer-tunnel thing. I think there's an option to copy inner-tunnel attribs to outer-tunnel attribs. Maybe start searching in those areas and wait for someone that actually known something about FR to reply. I used to know a LITTLE bit, but I hardly touch it anymore and find myself forgetting all but the very basics. G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Adam Track Sent: Tuesday, November 01, 2011 1:36 PM To: ' freeradius-users@lists.freeradius.org' Subject: Referencing LDAP attributes in post-auth Hello, I'm sorry for asking such a simple(?) thing, but my lack of understanding is not due to a lack of reading, searching, trial-and-error... I just can't seem to figure out how to reference an ldap attribute in post-auth. Using freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for authorization works great. As an added functionality, I need to send to the NAS a few extra attributes based on an an ldap attribute "personType". I've added mapping for this attribute, and here's a snippet of the debug output from the authorize section of the virtual server: ... [ldap] looking for check items in directory... [ldap] looking for reply items in directory... [ldap] personType -> Person-Type = "employee" [ldap] personType -> Person-Type = "fulltime" [ldap] personType -> Person-Type = "it" WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user tadam authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ... How do I reference this attribute in a perl script I call from post-auth? It's not in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK... Actually, I can't even figure out how to call it from the post-auth section itself.. I've tried different things, but I'm thinking the following should work: update reply{ Reply-Message := "Type: %{reply:Person-Type}." } Yet, I get: ... +- entering group post-auth {...} expand: Type: %{reply:Person-Type}. -> Type: . ++[reply] returns noop ... Is there something else I need to do to make sure the values returned from the ldap module are saved for reference outside the authorization block? A. <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
On 11/01/2011 07:41 PM, Adam Track wrote:
I’m just guessing, and could be WAY off, but may be an inner-tunnel vs. outer-tunnel thing.
In eap.conf, I've got copy_request_to_tunnel = yes and use_tunneled_reply = yes. Neither the ldap nor perl modules are called in the inner-tunnel.
Full debug please. Broadly speaking the approach you're trying should work. Most likely there's some subtlety which the partial debug doesn't show. One obvious question: you have defined "Person-Type" in a dictionary somewhere, haven't you? e.g. in raddb/dictionary: ATTRIBUTE Person-Type 3099 string Also, the usual "upgrade 2.1.8 is a bit old" note goes here ;o)
This might help. Then I want to map certain attribute like employeeStatus from our iPlanet ldap server to some radius attribute, so I can manipulate it in the post-auth section. I put the following line in etc/raddb/dictionary ATTRIBUTE My-Local-employeeStatus 3000 string and the following line in etc/raddb/ldap.attrmap #FOO specific attributes replyItem My-Local-employeeStatus employeeStatus Without these two line addition, radius will complain unknown attribute. Then in the post-auth section #default will have no Tunnel attribute/value, instead, they will be configured on #the NAS to go to student VLANs. # this will cover my ldap ntPassword authentication/authorization #facstaff have employeeStatus set while student does not if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } #this will cover my AD ntlm auth, People in AD are all facstaff if ( "%{User-Name}" !~ /@/ ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } In this way, people can map arbitrary attribute from ldap to radius, if not in dictionary/ldap.attrmap, then just defined your own. Then you have flexibility of using these attribute/value in your logic at post-auth section. Thanks all for the hints and help! Schilling On Tue, Nov 1, 2011 at 4:08 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 11/01/2011 07:41 PM, Adam Track wrote:
> I’m just guessing, and could be WAY off, but may be an inner-tunnel vs. outer-tunnel thing.
In eap.conf, I've got copy_request_to_tunnel = yes and use_tunneled_reply = yes. Neither the ldap nor perl modules are called in the inner-tunnel.
Full debug please.
Broadly speaking the approach you're trying should work. Most likely there's some subtlety which the partial debug doesn't show.
One obvious question: you have defined "Person-Type" in a dictionary somewhere, haven't you? e.g. in raddb/dictionary:
ATTRIBUTE Person-Type 3099 string
Also, the usual "upgrade 2.1.8 is a bit old" note goes here ;o) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Adam Track -
Gary Gatten -
Phil Mayers -
schilling