FreeRADIUS, OpenLDAP and F5 VSAs
Olivier Beytrison
olivier at heliosnet.org
Thu May 22 07:28:37 CEST 2014
On 21.05.2014 21:41, Ajinkya Fotedar wrote:
> (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Info-1+=\"R&D\"'
> (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Partition+=\"RnD\"'
> (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Role+=\"100\"'
> (0) ldap : reply:F5-LTM-User-Info-1 := 'F5-LTM-User-Shell+=\"tmsh\"'
what's actually wrong in your config is this entry in the ldap update map :
reply:F5-LTM-User-Info-1 := 'radiusReplyItem'
if you're using 3.0.x you should actually use
valuepair_attribute = "radiusReplyItem" in your ldap configuration
and update your ldap entries to add the list :
# R&D, Groups, F5, Configuration, NIS, vt
dn: cn=R&D,ou=Groups,ou=F5,ou=Configuration,ou=NIS,o=vt
cn: R&D
description: Entiries for the R&D group user accounts
member: uid=dawson,ou=People,ou=NIS,o=vt
radiusReplyItem: reply:F5-LTM-User-Info-1+="R&D"
radiusReplyItem: reply:F5-LTM-User-Partition+="RnD"
radiusReplyItem: reply:F5-LTM-User-Role+=100
radiusReplyItem: reply:F5-LTM-User-Shell+="tmsh"
you could set in the update {} section
reply: += 'radiusReplyItem' and this would also work, but this is
provided as a backward compatibility. i'll encourage you to rather use
the new valuepair_attribute
for reference :
https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/ldap#L27
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mail: olivier at heliosnet.org
More information about the Freeradius-Users
mailing list