rlm_ldap with pre and post proxy

Peter Lambrechtsen peter at crypt.co.nz
Tue Aug 18 04:45:49 CEST 2015


I was wondering if there would be any complaints if the PRE_PROXY and
POST_PROXY methods in the rlm_ldap module were added to call mod_authorize

in rlm_ldap.c

extern module_t rlm_ldap;
module_t rlm_ldap = {
        .magic          = RLM_MODULE_INIT,
        .name           = "ldap",
        .inst_size      = sizeof(rlm_ldap_t),
        .config         = module_config,
        .bootstrap      = mod_bootstrap,
        .instantiate    = mod_instantiate,
        .detach         = mod_detach,
        .methods = {
                [MOD_AUTHENTICATE]      = mod_authenticate,
                [MOD_AUTHORIZE]         = mod_authorize,
                [MOD_ACCOUNTING]        = mod_accounting,
                [MOD_POST_AUTH]         = mod_post_auth,
                [MOD_PRE_PROXY]         = mod_authorize,
                [MOD_POST_PROXY]        = mod_authorize,

As that means I can inject some extra VSA's in a Access-Accept back to the

I'm currently rebuilding a hosted Radius Proxy service that sends a very
stripped down list of attributes to the end customer which rlm_attr_filter
deals nicely to in pre-proxy, but based on the accept I want to inject a
whole lot of L2TP realm specific VSAs before the response goes back to the
NAS that the end customer has no idea of.

I had thought if I had added in the valuepair_attribute I could add
proxy-reply: but in the authorize section I get an error as it's invalid in
this context:

(1) ldap: control:Proxy-To-Realm := "Group1"
(1) ldap: WARNING: List "proxy-reply" is not available
(1) ldap: ERROR: Mapping "L2TP" -> "proxy-reply:Tunnel-Type:2" invalid in
this context
(1) ldap: WARNING: Failed adding "proxy-reply:Tunnel-Type:2 = L2TP" to
request, skipping...

But in post-proxy it's happy with that attribute:

(1) # Executing section post-proxy from file
(1)   post-proxy {
rlm_ldap (ldap): Reserved connection (3)
(1) ldap: EXPAND (cn=%{Realm})
(1) ldap:    --> (cn=customer)
(1) ldap: Performing search in "o=identities" with filter "(cn=customer)",
scope "sub"
(1) ldap: Waiting for search result...
(1) ldap: User object found at DN
(1) ldap: Processing user attributes
(1) ldap: control:Proxy-To-Realm := "Group1"
(1) ldap: proxy-reply:Tunnel-Type:2 = L2TP

Adding the MOD_PRE/POST_PROXY works for me pointing to mod_authorize, but
not sure it's generally an acceptable way to achieve it.



More information about the Freeradius-Devel mailing list