rlm_checkval and Hint attribute

Tony Peña emperor.cu at gmail.com
Fri Mar 22 20:24:00 CET 2013 

hi again....
now is fine.. the hint query was ...

1 configuration in the hints file.. left the default for users not with
suffix.. and ldap.atrribmap.. miss Hint  --- radiusHint

again.. thanxs for all



2013/3/22 Tony Peña <emperor.cu at gmail.com>

> Hi again...
> I'm starting taking some confuse idea with this...
>
> I use 3 checkvals.
>
> 1 for Calling-Station-Id
> 2 for Called-Station-Id
> and 3 for Hints
>
> and in the Hints file.. i setup my hints domains and filter to can apply
> for the suffix the correct acl/pool ip.
>
> also have radiusHints and radiusFilterId in my OpenLDAP db.
>
> now.. my question is.. why if Hints is not found in radius query...
> continue checking the rest for the values... and with any checkvals 1 or 2
> works fine.. ??
>
> so... if some user use other hints radius do access-accept... and not the
> reject like callings/called-station-id who with that... works fine..
>
> simple debug.
>
> [ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
> (uid=gtm478)
> [ldap]  expand: ou=institute,ou=users,dc=sld,dc=cu ->
> ou=institute,ou=users,dc=domain,dc=com
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in ou=institute,ou=users,dc=domain,dc=com, with
> filter (uid=gtm478)
>   [ldap] performing search in
> cn=users.ppp,ou=profiles,ou=radius,ou=services,dc=domain,dc=com, with
> filter (objectclass=radiusprofile)
>   [ldap] radiusCalledStationId -> Called-Station-Id == "999999"
>   [ldap] radiusCalledStationId -> Called-Station-Id == "888888"
>   [ldap] radiusCalledStationId -> Called-Station-Id == "111111"
>   [ldap] extracted attribute Max-Monthly-Session from generic item
> Max-Monthly-Session := 90000
>   [ldap] radiusIdleTimeout -> Idle-Timeout = 300
>   [ldap] radiusSessionTimeout -> Session-Timeout = 7200
>   [ldap] radiusFramedCompression -> Framed-Compression =
> Van-Jacobson-TCP-IP
>   [ldap] radiusFramedMTU -> Framed-MTU = 576
>   [ldap] radiusFilterId -> Filter-Id = "general.in"
>   [ldap] radiusFramedProtocol -> Framed-Protocol = PPP
>   [ldap] radiusServiceType -> Service-Type = Framed-User
> [ldap] Added User-Password = {CRYPT}$1$passwordcrypted in check items
> [ldap] No default NMAS login sequence
> [ldap] looking for check items in directory...
>   [ldap] userPassword -> Password-With-Header ==
> "{CRYPT}$1$cryptedpassword"
>   [ldap] radiusCallingStationId -> Calling-Station-Id == "111111"
> [ldap] looking for reply items in directory...
> [ldap] user gtm478 authorized to use remote access
>   [ldap] ldap_release_conn: Release Id: 0
> ++[ldap] returns ok
> rlm_checkval: Item Name: Calling-Station-Id, Value: 111111
> rlm_checkval: Value Name: Calling-Station-Id, Value: 111111
> ++[checkval1] returns ok
> rlm_checkval: Item Name: Called-Station-Id, Value: 88888
> rlm_checkval: Value Name: Called-Station-Id, Value: 999999
> rlm_checkval: Value Name: Called-Station-Id, Value: 88888
> ++[checkval2] returns ok
> rlm_checkval: Item Name: Hint, Value: userdefault
> *rlm_checkval: Could not find attribute named Hint in check pairs*
> *++[checkval3] returns notfound*
>
> *I need to stop here.. and reject the user.. *
>
> ++? if (User-Name =~ /^(.+)@institute.domain.com/)
> ? Evaluating (User-Name =~ /^(.+)@institute.domain.com/) -> TRUE
> ++? if (User-Name =~ /^(.+)@institute.domain.com/) -> TRUE
> ++- entering if (User-Name =~ /^(.+)@institute.domain.com/) {...}
> rlm_sqlcounter: Entering module authorize code
>
> *NOT should be continue.....*
>
> the users .. logging on...ok. (with bad hints)
> with hints works fine.
>
> thanxs in advance... (i'm continue searching and try meanwhilte wait for
> this...)
> sorry for my bad english ..  O:-)
> regards.
>
> --
> Antonio Peña
> Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
> Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
>



-- 
Antonio Peña
Secure email with PGP 0x8B021001 available at http://pgp.mit.edu
 Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130322/eb6ddc63/attachment-0001.html>

More information about the Freeradius-Users mailing list