Config. Help please - ldap and Active Directory
Leighton Man
l.j.man at hud.ac.uk
Wed Mar 11 14:24:08 CET 2009
>
> Update a server-side attribute when you use the module:
>
> update control {
> Tmp-String-0 = "ldap-student"
> }
>
> then in post-auth:
>
> if (control:Tm-String-0 == "ldap-student") {
> ...
>
> }
>
I'm really grateful for all your help but it still doesn't work and after hours of experimenting, here's where I am:
I add
if (control:Tmp-String-0 == "ldap-student") {
update reply {
Reply-Message := "User is student"
}
}
To the end of the post-auth section and radiusd -X reports:
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 53 to 10.127.240.217 port 1645
Fair enough - The user is authenticated but Tmp-String-0 hasn't been assigned a string.
I add
update control {
Tmp-String-0 = "ldap-student"
}
To the beginning of the post-auth section and radiusd -X reports:
++[eap] returns ok
+- entering group post-auth {...}
++[control] returns noop
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
? Evaluating (control:Tmp-String-0 == "ldap-student") -> TRUE
++? if (control:Tmp-String-0 == "ldap-student") -> TRUE
++- entering if (control:Tmp-String-0 == "ldap-student") {...}
+++[reply] returns noop
++- if (control:Tmp-String-0 == "ldap-student") returns noop
Sending Access-Accept of id 101 to 10.127.240.217 port 1645
OK so far, so I move
update control {
Tmp-String-0 = "ldap-student"
}
To the authorise section thus:
ldap_staff
if (ok) {
update reply {
Reply-Message = "ldap-staff"
}
}
else {
ldap_student
if (ok) {
update control {
Tmp-String-0 = "ldap-student"
}
}
else {
reject
}
}
And I get:
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 129 to 10.127.240.217 port 1645
Towards the beginning of the debug output is:
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig)
[ldap_student] looking for check items in directory...
[ldap_student] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap_student] user cmsxleig authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_student] returns ok
+++? if (ok)
? Evaluating (ok) -> TRUE
+++? if (ok) -> TRUE
+++- entering if (ok) {...}
++++[control] returns ok
+++- if (ok) returns ok
+++ ... skipping else for request 0: Preceding "if" was taken
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
Does "++++[control] returns ok" mean the string was successfully assigned? If so, how do I find where it gets lost?
A search for ldap-s through the file only produces two matches, one where the string is assigned and the other where it is tested. Similarly a search for Tmp-Str only finds two matches.
History | grep vi shows I haven't accidentally edited another file.
Leighton
More information about the Freeradius-Users
mailing list