LDAP Accounting

Tue Dec 11 15:15:47 CET 2012

On 11.12.2012 13:40, Arran Cudbard-Bell wrote:
>>
>>
>>> with roomNumber := "User %{%{Stripped-User-Name}:-%{User-Name}} logged
>>> in at %S"
>>>
>>
>> The main thing is we have a way of doing it, even if it's a little ugly. 
> 
> Actually, it looks like you can do a wildcard delete if you pass a 0 length value array.
> 
> Could you try 
> 
> update {
> 	<attribute> -= ANY
> }
> 
> Bare ANY keyword being magic.

Works very well [1] :) Thx!

and one more thing that would be nice to have. If something goes wrong
with those ldap modifications, we should be able to choose if the user
is rejected or not. like

post-auth {
	update {
		<attr> <op> <val>
	}
	error = reject/noop
}

and for the := set operator on multi-valued ldap attribute, we could
implement something like <attr> := <old-value>:<new-value>.
But that's pushing thing too far in my opinion ...

thanks for your work Arran!
Olivier

[1]
with roomNumber -= ANY

ldapsearch before request :
roomNumber: Hello 2012-12-11 13:42:06
roomNumber: pouet lala
roomNumber: pouet hoho
roomNumber: hihohu

radtest request :
Sending Access-Request of id 236 from 0.0.0.0 port 52704 to 127.0.0.1
port 1812
        User-Name != "olivier.beytriso"
        NAS-IP-Address != 160.98.240.25
        NAS-Port != 0
        Message-Authenticator != 0x00
        MS-CHAP-Challenge != xxxxxxx
        MS-CHAP-Response != xxxxxxxxx
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=236,
length=84
        MS-CHAP-MPPE-Keys != 0xf087f73xxxxxxx4ac880000000000000000
        MS-MPPE-Encryption-Policy != Encryption-Allowed
        MS-MPPE-Encryption-Types != RC4-40or128-bit-Allowed

ldapsearch after :
dn: cn=31935762,ou=courant,ou=people,o=hes-so

-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org