rlm_ldap and (automagic) xlat
Sven Hartge
sven at svenhartge.de
Fri Oct 29 15:20:15 CEST 2010
Hi all!
I am using freeradius 2.1.10 (from backports) on a Debian Lenny server
to authenticate wireless users using EAP and normal users (from Ascend
NAS and ASA5510) with CHAP and PAP and so on.
My backend is a LDAP directory (OpenLDAP).
So far, everything is fine and working great.
My question is more about fine tuning some aspects and some
understanding issues with the way rlm_ldap adds (or doesn't add)
attributes to the query/reply.
I need to explain a bit about my environment:
I have two LDAP attributes, which control the state of the account of a
user:
a) gifb-Status ("1" means enabled)
b) gifb-NetzAccStatus ("1" again means enabled)
- gifb-status gets set to "0" if the password expires or the account gets
disabled because of other reasons.
- gifb-NetzAccStatus gets set to "0" if the networking account has to be
disabled
If any of the two attributes is != 1, then the user has to be rejected.
To achieve this, until recently I had a filter like the following for
the ldap module:
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=gifb-NetzAccount)((gifb-status=1)(gifb-NetzAccStatus=1))"
This worked OK, ie. the user was rejected if his account was disabled,
because he wasn't even found by the ldap module. But this also resulted
in somewhat ugly log entries:
Sun Oct 3 20:38:18 2010 : Auth: Login incorrect ( [ldap] User not found): [XXXX123] (from client alb13 port 5 cli 00236CDEADBF via TLS tunnel)
Sun Oct 3 20:38:18 2010 : Auth: Login incorrect: [XXXX123] (from client alb13 port 5 cli 00236CDEADBF)
So, using unlang I created the following, adjusting my filter first ...
filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=gifb-NetzAccount))"
... adding to the dictionary ...
ATTRIBUTE GIFB-NetzAccStatus 3000 integer
ATTRIBUTE GIFB-Status 3001 integer
and then in the inner-tunnel:
,----[sites-enabled/inner-tunnel
| ldap
|
| if ( !notfound ) {
| update request {
| GIFB-NetzAccStatus := "%{ldap:ldap:///dc=fh-giessen-friedberg,dc=de?GIFB-NetzAccStatus?sub?uid=%u}"
| GIFB-Status := "%{ldap:ldap:///dc=fh-giessen-friedberg,dc=de?GIFB-Status?sub?uid=%u}"
| }
| if ( GIFB-NetzAccStatus != 1 ) {
| update reply {
| Reply-Message = "User denied by GIFB-NetzAccStatus"
| }
| reject
| }
| if ( GIFB-Status != 1 ) {
| update reply {
| Reply-Message = "User denied by GIFB-Status"
| }
| reject
| }
| }
`----
This also works great, I get meaningful log-entries and everything is
OK.
Now, for my rather simple question:
Why can't I just add the following to ldap.attrmap and have the ldap
module add those two attributes automagically. Why do I have to use two
separate ldap_xlat queries:
checkItem GIFB-NetzAccStatus GIFB-NetzAccStatus
checkItem GIFB-Status GIFB-Status
I also tried this with "replyItem" instead of checkItem and also tried
adding ":=" as the operator, but without the separate ldap_xlat queries both
RADIUS-Attributes are not available after the normal ldap module ran.
It seems I am missing some crucial part of information here or just lack the
understanding of this part of Freeradius.
Please enlighten me.
Grüße,
Sven.
--
Sig lost. Core dumped.
More information about the Freeradius-Users
mailing list