Personalizing ldap filters from users file
Phil Mayers
p.mayers at imperial.ac.uk
Mon Nov 19 11:17:45 CET 2012
On 11/19/2012 09:48 AM, Angel L. Mateo wrote:
>
> ldap {
> ...
> filter = "(&(mail=%{User-Name})(schacUserStatus=<urn prefix>:
> %{X-Atica-Service}:enabled))"
> ...
> }
>
> DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es
> User-Name := `%{User-Name}`,
> Fall-Through = No
>
> But this does not work.
It's important to understand how the "users" file works. The line you've
written above says:
set "X-Actica-Service" to "vpn" in the "control" items if it's not
already set (= operator)
set "Auth-Type" to "LDAP" in the "control" items if it's not already set
(= operatgor)
*if* Realm == um.es
and then
set "User-Name" to "%{User-Name}" on the "reply" items *always* (:=
operator)
set "Fall-Through" to "No" in the "reply" items if it's not already set
(= operator)
So, any variable you set on that first line goes in the control items,
so must be referred to there.
Either modify your LDAP filter to reference:
"...%{control:X-Actica-Service}..."
...or better yet, convert the logic to an "unlang" stanza which is more
flexible and more explicit / less "magic", hence easier to understand,
*and* lets you set variables in any list. Like so:
authorize {
...
if (Realm == um.es) {
update request {
X-Actica-Service = "..."
}
}
else {
...
}
ldap
}
Also: I note you are setting "Auth-Type". This is almost always wrong,
and almost certainly so in your case. Correct config of the LDAP module
should mean you don't need to set Auth-Type, and it's usually harmful to
do so. If it's not causing you a problem it's probably because you're
using the "=" rather than ":=" operator.
Cheers,
Phil
More information about the Freeradius-Users
mailing list