group authorization

Brendan Kearney bpk678 at gmail.com
Wed Mar 26 22:29:32 CET 2014 

On Tue, 2014-03-25 at 22:41 -0400, Alan DeKok wrote:
> Brendan Kearney wrote:
> >>   Why?  The "filter" configuration item is the *only* place where the
> >> LDAP "uid" search string is set.  Editing anything else won't help.
> > the uid vs dn may not be the issue (or at least not the only issue).
> 
>   Pick one problem at a time and solve it.  You said you wanted a search
> string which was more than "uid=...".  I told you how to get that.  Try it.
> 
>   The problem will be fixed, and you can move on to the next problem.
> Or, you can ask for more help to solve the uid / filter problem.
> 
>   You WILL NOT do anything useful by randomly switching between 5
> separate issues.  Only a consistent approach will fix anything.  See
> "man radiusd" for more on this topic.
> 
> >>   Read the documentation and configure it as required.
> > i did and its vague.
> 
>   The configuration items in raddb/modules/ldap are extensively
> documented.  Do you have a SPECIFIC question?  If so, why not ask it?
> 
> >  also its contradicted by what is on the freeradius
> > site, which googling around turns up.
> 
>   i.e. "stuff is wrong".  WHAT is wrong?  Where?
> 
>   You're again being as vague as possible.  This isn't helpful.
your reputation for being *ahem* difficult precedes you, but i think it
should be amened to include being a hypocrite, too.  how does it feel?
you have been nothing but obtuse and dodgy yourself.

>   You did post the debug output in your first message, which was nice:
> 
> Debug:
>   [ldap] performing search in dc=bpk2,dc=com, with filter (uid=brendan)
> 
> You:
> the actual member "value" in the group is the "long"
> version of the uid (uid=brendan,ou=Users,dc=bpk2,dc=com).  is there
> something i can do to use the "long" version?
> 
> Me:
>   Edit the "filter" configuration in raddb/modules/ldap
> 
> You:
>   It doesn't work.
> 
> 
>   Uh... that is a completely useless response.  Yes, it does work.  Many
> other people get LDAP filters working.  They just edit the configuration
> item I said.
> 
>   So... did you *try*?  WHAT did you try?  Is it a secret?  Why didn't
> you post the debug output to the list?
> 
> > where do i find the different variables that are referenced
> > (Stripped-User-Name, User-Name, control:Ldap-UserDn, etc)?
> 
>   Those are RADIUS attributes.  Go to wiki.freeradius.org, and type
> "ldap" into the search box.  Hit <enter>.  Click on the first link.  The
> LDAP-UserDn attribute is documented there.
quoting:

For instance it can be set through the users file in the authorize
section:
...

well then, the authorize section has been moved out of the users file
and into the modules/ldap file, AND IS NOT DOCUMENTED FURTHER.
Moreover, my DN in LDAP is fully qualified:
uid=brendan,ou=Users,dc=bpk2,dc=com.  How you are determining the wrong
value and populating a variable with that wrong value is a broken
process.  if a variable named Ldap-UserDn is going to be used, then the
value of the DN in the tree is what i expect to find.  what about you?
i should not have to cobble together a value that claims to be collected
already.

>   User-Name is a standard RADIUS attribute.  Read the specs to see what
> it is.  Really... we are NOT going to document every one of 8000 RADIUS
> attributes.  That's ridiculous.
why not?  how are folks to know what they are?  given the berating they
get from the supposed help answering the mailing list, i doubt anyone
would every really get answers if they had to find out something in
particular.  oh, and the attributes...  the ones found here:
http://freeradius.org/rfc/attributes.html THERE IS NOTHING ABOUT LDAP
ANYTHING.  disjointed documentation much?  in fact it seems that most
rlm_* attributes are not there at all.  so, whats the deal with that?
again, the users file references that, so why isnt it a complete
reference?

>   Stripped-User-Name is ... the User-Name, stripped of a realm.  Read
> the debug output to see what's going on.
> 
> >  where is the
> > documentation around what %{%{Stripped-User-Name}:-%{User-Name}} does
> 
> $ man unlang
> 
>   Which is referenced from the top comments on radiusd.conf.
> 
> >  vs
> > %{%{control:Ldap-UserDn}:-%{control:Ldap-UserDn}} (which does not seem
> > to work anyway)
> 
>   If you had read the documentation, you'd understand that the above
> text makes zero sense.
and thanks to the effort i have spent pulling your teeth, and rubbing
your ego, i now have some place to turn for research.  thanks.  this
could have been accomplished without you being a fuckchop 3 DAYS AGO.

>   And see the FAQ for "it doesn't work".  Really.
> 
> > yes, and a bunch of stuff is all that can be tried/done when no real,
> > comprehensive howtos exist on how to do this.
> 
>   Go to wiki.freeradius.org, and type "ldap" into the search box.  Hit
> <enter>.  Click on the first link.
> 
> > http://www.clearfoundation.com/docs/howtos/setting_up_radius_to_use_ldap
> > is the best i have found, and it does not work, is outdated or does not
> > do everything i am looking for.
> 
>   Yeah... third-party documentation that's 10 years old is preferable to
> reading the official FreeRADIUS Wiki, or the comments in the
> configuration files.
well, if the info was not contradictory and was written to start at some
point, provided clear steps to perform and ended with an accomplished
goal, maybe 10 year old docs would not be better than the official wiki,
but alas...

>   The FreeRADIUS documentation isn't perfect.  But this is your third
> message complaining about it... with little to no content.
> 
>   If all you say is "you guys suck", you won't solve the problem.
isnt perfect?  the technical writing is utter rubbish.
example/correlation:

i took 4 years of spanish in school, and learned nothing but vocabulary
and verb conjugation.  i cant speak the language to save my life, and
thats not for lack of effort.

i have read docs, comments, wiki pages, mailing lists, etc and have some
points that i know i can get to/through.  but, in no way, shape or form
can i call myself competent because no fundamental teachings exist on
where to start, what to do and how to get to a specific configuration
and successful implementation.  at best a hodge-podge of hacked together
directives are documented, isolated and atomically independent of any
larger effort to be undertaken.

i have been around the block.  i support several technologies for a
fortune 25 company.  our golden rule is the "grandma" test.  can the
docs i put together for a process/effort/change be given to my
grandmother and the work be done by her?  take a starting point, perform
deliberate steps (which include breakdowns of the commands with examples
or the actual command to be run), achieve the desired result, and
include a process to validate what is expected to be in place.

my grandma + your docs != work getting done.
> 
>   If you have *specific* and TECHNICAL questions, we can answer them.
> All it requires is for you to ask GOOD questions, with CONTENT.
> 
>   It's up to you.  Choose to ask useful questions, and you will get
> useful answers.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list