add attribute to Access-Accept

Gary Prosser gary.prosser at trinity-bris.ac.uk
Fri Aug 28 18:51:57 CEST 2009 

We have freeradius running successfully with 3 ldap instances (one for
each of 3 different sets of user credentials, two of which are active
directory).

We want to provide to the calling nas in the Access-Accept reply some
identifier of the ldap instance that authorizes a user. I have not been
able to achieve this.

Freeradius -X output shows

rlm_ldap: - authorize
rlm_ldap: performing user authorization for leesle
        expand: %{Stripped-User-Name} ->
        expand: %{User-Name} -> leesle
        expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
-> (samAccountName=leesle)
        expand: OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk ->
OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk, with filter
(samAccountName=leesle)
rlm_ldap: checking if remote access for leesle is allowed by
samAccountName
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
rlm_ldap: Setting Auth-Type = ldap1
rlm_ldap: user leesle authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns ok

And then two further authorize sections 

++[ldap2] returns notfound
++[ldap3] returns notfound

Then
    users: Matched entry DEFAULT at line 159
    users: Matched entry DEFAULT at line 163
    users: Matched entry DEFAULT at line 167
++[files] returns ok
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type ldap1
auth: type "ldap1"
+- entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by "leesle" with password "xxxxx"
rlm_ldap: user DN: CN=Seonghye
Lee,OU=Students,DC=PUBLIC,DC=TRINITY-BRIS,DC=AC,DC=UK
rlm_ldap: (re)connect to 192.168.4.250:389, authentication 1
rlm_ldap: bind as CN=Seonghye
Lee,OU=Students,DC=PUBLIC,DC=TRINITY-BRIS,DC=AC,DC=UK/16763673 to
192.168.4.250:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user leesle authenticated succesfully
++[ldap1] returns ok
Login OK: [leesle/xxxxx] (from client esther2-webserver port 0)
Sending Access-Accept of id 91 to 192.168.2.1 port 1026
        Callback-Id := "TCBStaff"

I have tried to put a new attribute into the Access-Accept reply via
users file

    159 DEFAULT Auth-Type == "ldap1"
    160         Callback-Id = "TCBStudents",
    161         Fall-Through = Yes
    162 #
    163 DEFAULT Auth-Type == "ldap2"
    164         Callback-Id := "BBCUsers",
    165         Fall-Through = Yes
    166 #
    167 DEFAULT Auth-Type == "ldap3"
    168         Callback-Id := "TCBStaff",
    169         Fall-Through = Yes

Since each line in users apparantly matches, the attribute Callback-Id
acquires the value of the last DEFAULT. Meanwhile I was hoping that
rlm_ldap: Setting Auth-Type = ldap1 
would match only the first.

Can I fix this by adjusting the syntax or do I need a different method ?

Any comment appreciated !


Gary Prosser
-  
IT Manager
Trinity College, Bristol (http://www.trinity-bris.ac.uk)



To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist).

More information about the Freeradius-Users mailing list