Map LDAP Attribute to RADIUS Attribute
paul at pauldotcom.com
Wed Jul 19 17:05:49 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Thank you for reviewing my post.
Here is a little more information:
The RADIUS client is actually an Aruba wireless controller. It had
an attribute already defined called "User-Category". I also checked
the dictionary file for "User-Category" and this is what I found:
# grep User-Category *
Category 1029 string
I am happy to change my attribute to something more standard or
different if this seems to be the problem
On Jul 19, 2006, at 10:34 AM, Thibault Le Meur wrote:
>> I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86).
>> I am trying to map an LDAP attribute to a RADIUS attribute.
>> A little
>> background, we have a RADIUS client that needs to make decisions
>> based on an LDAP attribute (we'll call it User-Category). Based on
>> the value of this attribute the end user will be given rights on the
>> network. So, I setup my ldap.attrmap with *only* the following line:
>> replyItem User-Category orgPrimaryAffiliation
>> rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value
>> auth: type "LDAP"
>> Processing the authenticate section of radiusd.conf
>> modcall: entering group LDAP for request 4
>> rlm_ldap: - authenticate
>> rlm_ldap: login attempt by "mytestuser" with password "12345"
>> rlm_ldap: user DN: orgUUID=53d66879-e0a0-
>> rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1
>> rlm_ldap: bind as orgUUID=53d66879-e0a0-
>> da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to
>> rlm_ldap: waiting for bind result ...
>> rlm_ldap: Bind was successful
>> rlm_ldap: user mytestuser authenticated succesfully
>> modcall[authenticate]: module "ldap" returns ok for request 4
>> modcall: leaving group LDAP (returns ok) for request 4
>> Sending Access-Accept of id 192 to 127.0.0.1 port 32904
>> Finished request 4
> Ok everything seems ok untill now...
>> The problem is that I never see the RADIUS server return the "User-
>> Category" attribute back to the RADIUS client. It seems to
>> only want
>> to send the "Access-Accept" or "Access-Reject" message with no User-
>> Category value. I tried including the "User-Category" in the
>> with no luck. I also modified the "attrs" file to include this
>> Service-Type == Framed-User,
>> Service-Type == Login-User,
>> Login-Service == Telnet,
>> Login-Service == Rlogin,
>> Login-Service == TCP-Clear,
>> Login-TCP-Port <= 65536,
>> Framed-IP-Address == 255.255.255.254,
>> Framed-IP-Netmask == 255.255.255.255,
>> Framed-Protocol == PPP,
>> Framed-Protocol == SLIP,
>> Framed-Compression == Van-Jacobson-TCP-IP,
>> Framed-MTU >= 576,
>> Framed-Filter-ID =* ANY,
>> Reply-Message =* ANY,
>> User-Category =* ANY,
>> Proxy-State =* ANY,
>> Session-Timeout <= 28800,
>> Idle-Timeout <= 600,
>> Port-Limit <= 2
>> But no luck there either. Any help is greatly appreciated.
> Yes, but I don't think you can create a new Radius attribute like
> this. You
> should at least declare it in a dictionnary (wince a Radius attribute
> corresponds to a number in fact).
> See /etc/raddb/dictionnary and any Included files.
> Can anyone confirm my analysis and propose a procedure to create new
> attributes ?
> Isn't i necessary to register new attributes/number somewhere ? Is it
> possible to define "private attributes" ?
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
Email: paul at pauldotcom.com
IRC: #pauldotcom | irc.freenode.net
Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Freeradius-Users