Referencing LDAP attributes in post-auth

[schilling]

This might help.

Then I want to map certain attribute like employeeStatus from our
iPlanet ldap server to some radius attribute, so I can manipulate it
in the post-auth section.
I put the following line in etc/raddb/dictionary
ATTRIBUTE       My-Local-employeeStatus 3000    string

and the following line in etc/raddb/ldap.attrmap
#FOO specific attributes
replyItem       My-Local-employeeStatus         employeeStatus

Without these two line addition, radius will complain unknown attribute.

Then in the post-auth section

#default will have no Tunnel attribute/value, instead, they will be
configured on
#the NAS to go to student VLANs.

# this will cover my ldap ntPassword authentication/authorization
#facstaff have employeeStatus set while student does not
       if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) {
               update reply {
                       Service-Type = "Framed-User"
                       Tunnel-Type = "VLAN"
                       Tunnel-Medium-Type = "IEEE-802"
                       Tunnel-Private-Group-Id = "facstaff"
               }
       }
#this will cover my AD ntlm auth, People in AD are all facstaff
       if ( "%{User-Name}" !~ /@/  ) {
               update reply {
                       Service-Type = "Framed-User"
                       Tunnel-Type = "VLAN"
                       Tunnel-Medium-Type = "IEEE-802"
                       Tunnel-Private-Group-Id = "facstaff"
               }
       }

In this way, people can map arbitrary attribute from ldap to radius,
if not in dictionary/ldap.attrmap, then just defined your own. Then
you have flexibility of using these attribute/value in your logic at
post-auth section.

Thanks all for the hints and help!

Schilling

On Tue, Nov 1, 2011 at 4:08 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 11/01/2011 07:41 PM, Adam Track wrote:
>>
>>  > I’m just guessing, and could be WAY off, but may be an inner-tunnel
>> vs. outer-tunnel thing.
>>
>> In eap.conf, I've got copy_request_to_tunnel = yes and
>> use_tunneled_reply = yes. Neither the ldap nor perl modules are called
>> in the inner-tunnel.
>
> Full debug please.
>
> Broadly speaking the approach you're trying should work. Most likely there's
> some subtlety which the partial debug doesn't show.
>
> One obvious question: you have defined "Person-Type" in a dictionary
> somewhere, haven't you? e.g. in raddb/dictionary:
>
> ATTRIBUTE       Person-Type     3099    string
>
> Also, the usual "upgrade 2.1.8 is a bit old" note goes here ;o)
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>