Map LDAP Attribute to RADIUS Attribute
Thibault Le Meur
Thibault.LeMeur at supelec.fr
Wed Jul 19 16:34:32 CEST 2006
> I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86).
> I am trying to map an LDAP attribute to a RADIUS attribute.
> A little
> background, we have a RADIUS client that needs to make decisions
> based on an LDAP attribute (we'll call it User-Category). Based on
> the value of this attribute the end user will be given rights on the
> network. So, I setup my ldap.attrmap with *only* the following line:
> replyItem User-Category orgPrimaryAffiliation
> rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group LDAP for request 4
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "mytestuser" with password "12345"
> rlm_ldap: user DN: orgUUID=53d66879-e0a0-
> rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1
> rlm_ldap: bind as orgUUID=53d66879-e0a0-
> da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user mytestuser authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 4
> modcall: leaving group LDAP (returns ok) for request 4
> Sending Access-Accept of id 192 to 127.0.0.1 port 32904
> Finished request 4
Ok everything seems ok untill now...
> The problem is that I never see the RADIUS server return the "User-
> Category" attribute back to the RADIUS client. It seems to
> only want
> to send the "Access-Accept" or "Access-Reject" message with no User-
> Category value. I tried including the "User-Category" in the
> with no luck. I also modified the "attrs" file to include this
> Service-Type == Framed-User,
> Service-Type == Login-User,
> Login-Service == Telnet,
> Login-Service == Rlogin,
> Login-Service == TCP-Clear,
> Login-TCP-Port <= 65536,
> Framed-IP-Address == 255.255.255.254,
> Framed-IP-Netmask == 255.255.255.255,
> Framed-Protocol == PPP,
> Framed-Protocol == SLIP,
> Framed-Compression == Van-Jacobson-TCP-IP,
> Framed-MTU >= 576,
> Framed-Filter-ID =* ANY,
> Reply-Message =* ANY,
> User-Category =* ANY,
> Proxy-State =* ANY,
> Session-Timeout <= 28800,
> Idle-Timeout <= 600,
> Port-Limit <= 2
> But no luck there either. Any help is greatly appreciated.
Yes, but I don't think you can create a new Radius attribute like this. You
should at least declare it in a dictionnary (wince a Radius attribute
corresponds to a number in fact).
See /etc/raddb/dictionnary and any Included files.
Can anyone confirm my analysis and propose a procedure to create new
Isn't i necessary to register new attributes/number somewhere ? Is it
possible to define "private attributes" ?
More information about the Freeradius-Users