Map LDAP Attribute to RADIUS Attribute

Thibault Le Meur Thibault.LeMeur at supelec.fr
Wed Jul 19 16:34:32 CEST 2006 

> 
> I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86).   
> I am trying to map an LDAP attribute to a RADIUS attribute.  
> A little  
> background, we have a RADIUS client that needs to make decisions  
> based on an LDAP attribute (we'll call it User-Category).  Based on  
> the value of this attribute the end user will be given rights on the  
> network.  So, I setup my ldap.attrmap with *only* the following line:
> 
> replyItem       User-Category                   orgPrimaryAffiliation
> 

> rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value  

> auth: type "LDAP"
>    Processing the authenticate section of radiusd.conf
> modcall: entering group LDAP for request 4
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "mytestuser" with password "12345"
> rlm_ldap: user DN: orgUUID=53d66879-e0a0- 
> da8f-4c49-514b567713ad,ou=People,dc=org,dc=com
> rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1
> rlm_ldap: bind as orgUUID=53d66879-e0a0- 
> da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to  
> ldapserver.org.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user mytestuser authenticated succesfully
>    modcall[authenticate]: module "ldap" returns ok for request 4
> modcall: leaving group LDAP (returns ok) for request 4
> Sending Access-Accept of id 192 to 127.0.0.1 port 32904 
> Finished request 4

Ok everything seems ok untill now...

 
> The problem is that I never see the RADIUS server return the "User- 
> Category" attribute back to the RADIUS client.  It seems to 
> only want  
> to send the "Access-Accept" or "Access-Reject" message with no User- 
> Category value.  I tried including the "User-Category" in the 
> request  
> with no luck. I also modified the "attrs" file to include this  
> attribute:
> 
> DEFAULT
>          Service-Type == Framed-User,
>          Service-Type == Login-User,
>          Login-Service == Telnet,
>          Login-Service == Rlogin,
>          Login-Service == TCP-Clear,
>          Login-TCP-Port <= 65536,
>          Framed-IP-Address == 255.255.255.254,
>          Framed-IP-Netmask == 255.255.255.255,
>          Framed-Protocol == PPP,
>          Framed-Protocol == SLIP,
>          Framed-Compression == Van-Jacobson-TCP-IP,
>          Framed-MTU >= 576,
>          Framed-Filter-ID =* ANY,
>          Reply-Message =* ANY,
>          User-Category =* ANY,
>          Proxy-State =* ANY,
>          Session-Timeout <= 28800,
>          Idle-Timeout <= 600,
>          Port-Limit <= 2
> 
> But no luck there either.  Any help is greatly appreciated.

Yes, but I don't think you can create a new Radius attribute like this. You
should at least declare it in a dictionnary (wince a Radius attribute
corresponds to a number in fact).

See /etc/raddb/dictionnary and any Included files.

Can anyone confirm my analysis and propose a procedure to create new
attributes ?
Isn't i necessary to register new attributes/number somewhere ? Is it
possible to define "private attributes" ?

Regards,
Thibault

More information about the Freeradius-Users mailing list