Personalizing ldap filters from users file

Angel L. Mateo amateo at um.es
Mon Nov 19 12:36:56 CET 2012 

El 19/11/12 11:17, Phil Mayers escribió:
> On 11/19/2012 09:48 AM, Angel L. Mateo wrote:
>>
>> ldap  {
>>    ...
>>    filter = "(&(mail=%{User-Name})(schacUserStatus=<urn prefix>:
>> %{X-Atica-Service}:enabled))"
>>    ...
>> }
>>
>
>> DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es
>>      User-Name := `%{User-Name}`,
>>      Fall-Through = No
>>
>>      But this does not work.
>
> It's important to understand how the "users" file works. The line you've
> written above says:
>
> set "X-Actica-Service" to "vpn" in the "control" items if it's not
> already set (= operator)
>
> set "Auth-Type" to "LDAP" in the "control" items if it's not already set
> (= operatgor)
>
> *if* Realm == um.es
>
> and then
>
> set "User-Name" to "%{User-Name}" on the "reply" items *always* (:=
> operator)
>
> set "Fall-Through" to "No" in the "reply" items if it's not already set
> (= operator)
>
> So, any variable you set on that first line goes in the control items,
> so must be referred to there.
>
> Either modify your LDAP filter to reference:
>
>    "...%{control:X-Actica-Service}..."
>
> ...or better yet, convert the logic to an "unlang" stanza which is more
> flexible and more explicit / less "magic", hence easier to understand,
> *and* lets you set variables in any list. Like so:
>
> authorize {
>    ...
>    if (Realm == um.es) {
>      update request {
>        X-Actica-Service = "..."
>      }
>    }
>    else {
>      ...
>    }
>
>    ldap
> }
>
	Thank you, this way it works.

> Also: I note you are setting "Auth-Type". This is almost always wrong,
> and almost certainly so in your case. Correct config of the LDAP module
> should mean you don't need to set Auth-Type, and it's usually harmful to
> do so. If it's not causing you a problem it's probably because you're
> using the "=" rather than ":=" operator.
>
	It works for me. Maybe it's because I don't use ldap in authorize, but 
just in:

authenticate {
	Auth-Type LDAP {
		ldap
	}
}

	I don't know the real cause of this (I have inherited this 
configuration from an old config I didn't do it.

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 868888337

More information about the Freeradius-Users mailing list