Expand Ldap Attribute on Post-Auth section

Tue Jun 7 19:16:05 CEST 2011

So, according to this:
http://wiki.freeradius.org/Attribute%20support%20by%20processing%20list

I can only access the User-Name and Auth-Type at my custom exec module, 
and nothing else?

I just want to access an LDAP value at my exec module without having to 
issue an external ldapsearch and avoid mantaining doubled ldap 
configurations and queries for this.

Em 06-06-2011 15:13, Renan escreveu:
> Hello there,
>
> I'm trying to evaluate an ldap returned attribute on the post-auth 
> section.
>
> At my dictionary:
> ATTRIBUTE       Aa      3000    string
>
> At my ldap.attrmap:
> checkItem       AA              eduPersonAffiliation
>
> And at my custom module:
> exec aloca_vlans {
>         wait = yes
>         program = "/usr/local/bin/script-teste.sh %{User-Name} 
> %{control:Aa} %{reply:Aa} %{Aa} "
>         input_pairs = request
>         output_pairs = reply
>         packet_type = Access-Accept
>         shell_escape = yes
> }
>
> When running radiusd -X, I see the data getting fetched.
>
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
>   [ldap] eduPersonAffiliation -> Aa == "5"
>   [ldap] eduPersonAffiliation -> Aa == "2"
>   [ldap] userPassword -> Password-With-Header == "xxxxxxxxxxxxx"
>   [ldap] ntPassword -> NT-Password == xxxxxxxxxxxxxx
> [ldap] looking for reply items in directory...
>
> But when the variables are expanded it returns nothing:
>
> # Executing section post-auth from file 
> /etc/freeradius/sites-enabled/default
> +- entering group post-auth {...}
> [reply_log]     expand: 
> /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
> -> /var/log/freeradius/radacct/xxxxxx/reply-detail-20110606
> [reply_log] 
> /var/log/freeradius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
> expands to /var/log/freeradius/radacct/xxxxxx/reply-detail-20110606
> [reply_log]     expand: %t -> Mon Jun  6 15:04:10 2011
> ++[reply_log] returns ok
> [aloca_vlans]     expand: %{User-Name} -> renan.manola
> [aloca_vlans]     expand: %{control:Aa} ->
> [aloca_vlans]     expand: %{reply:Aa} ->
> [aloca_vlans]     expand: %{Aa} ->
>
> I have specified the control and reply lists just as a test. If I 
> don't specify the variable name at the dictionary file, the log 
> complains of "unknown module not found".
>
> Best regards.
>

-- 
Renan Manola
Analista de Tecnologia da Informação
Nucleo de Processamento de Dados (NPD)
Universidade Federal do Espírito Santo (UFES)
Ministério da Educação - Serviço Público Federal
E-mail: rmanola at npd.ufes.br

   Antes de imprimir pense em seu compromisso com o Meio Ambiente.

As informações existentes nesta mensagem e em seus arquivos anexados são para uso restrito, sendo seu sigilo protegido por lei. Caso você não seja o destinatário, saiba que leitura, divulgação ou cópia são proibidas. Neste caso, favor notificar o remetente e apagar as informações. O uso impróprio destas informações será tratado conforme as normas da empresa e a legislação em vigor.