FR 3.0.1 and LDAP group membership
Brendan Kearney
bpk678 at gmail.com
Sat May 31 02:59:53 CEST 2014
On Fri, 2014-05-30 at 08:45 +0100, Arran Cudbard-Bell wrote:
> On 30 May 2014, at 02:39, Brendan Kearney <bpk678 at gmail.com> wrote:
>
> > On Tue, 2014-05-27 at 22:04 +0100, Arran Cudbard-Bell wrote:
> >> On 27 May 2014, at 21:18, Brendan Kearney <bpk678 at gmail.com> wrote:
> >>
> >>> On Tue, 2014-05-27 at 20:37 +0100, Arran Cudbard-Bell wrote:
> >>>
> >>>> Without code patches you'd need to add radiusreplyItem attributes directly
> >>>> to the groups objects. The group objects and the profile objects would be
> >>>> one and the same.
> >>>>
> >>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> >>>> FreeRADIUS Development Team
> >>>
> >>> what you say contradicts what you have stated previously:
> >>
> >> No, it doesn't.
> >>
> >>> Groups don't return replyItems only profiles do. Groups are only
> >>> used for checking membership, they cannot contain attributes themselves.
> >>
> >> An object in LDAP can belong to multiple objectClasses.
> >>
> >> Without an objectClass an object is is just an object, it's not a
> >> group it's not a profile.
> >>
> >> No an object which is just a member of the posixGroup class can't
> >> contain replyItems, or checkItems or any other RADIUS attributes.
> >>
> >> Yes an object which is a member of the radiusprofile class can
> >> contain replyItems, and checkItems and generic radius attributes.
> >>
> >> Being a member of posixGroup does not mean that the object cannot
> >> also be a member of radiusprofile.
> >>
> >> As I said, to do what you want to do, you actually want the group
> >> object to also be a radiusprofile object.
> >>
> >> Here's the order of operations, hopefully it'll clear things up:
> >>
> >> 1. enter mod_authorize
> >> 2. search in user.base_dn with scope user.scope with filter user.filter
> >> Requesting attributes:
> >> user.access_attribute (if set)
> >> profile.attribute
> >> all attributes on the right hand side of the update section
> >> Assuming user is found
> >> 3. store dn
> >> 4. check access_attribute value
> >> 5. apply update section mappings
> >> 6. foreach of the profile.attribute values
> >> Search in profile.attibute.value with filter profile.filter
> >> Requesting attributes:
> >> all attributes on the right hand side of the update section
> >> if object found apply update section mappings
> >> 7. return from mod_authorize
> >>
> >> I'm telling you to set profile.attribute to be 'memberOf' so that the
> >> profile code will iterate over all the group objects (which may also
> >> happen to be radiusprofile objects), performing attribute mappings.
> >>
> >> Note: Your memberOf attribute values must be DNs instead of group CN
> >> (or whichever attribute you use as group.name_attribute).
> >>
> >> If you want to iterate over a subset of the group objects (which also
> >> happen to be radiusprofile objects), then set an appropriate filter
> >> for profile.filter.
> >>
> >> Hint: Profile filter can contain XLAT expansions %{}.
> >>
> >>> Note that your profile attribute could be the same as your group
> >>> attribute i.e. memberOf, in which case you'd just need to add the
> >>> group objects to the radiusprofile object.
> >>>
> >>> am i to understand that 3.0.3 changes things or have i again missed
> >>> something important?
> >>
> >> Not dramatically since 3.0.0, i've tried my best to forget how the
> >> v2.x.x module worked. It's a traumatic experience looking over that
> >> code, I don't want to relive it again and again.
> >>
> >> Read: The v2.0.x code is a rats nest, I have no idea how, why or if
> >> it works correctly.
> >>
> >> In theory the same thing should work just fine for v2.0.x, but I don't
> >> know, and if it doesn't, you're on your own.
> >>
> >> -Arran
> >>
> >> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> >> FreeRADIUS Development Team
> >>
> >> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> >>
> >> -
> >> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
> > ok. i took what you said too literally. i thought that groups and
> > profiles had to be separate. with the group created and the additional
> > objectclass of radiusprofile added to the group, i now have the group
> > created in the way you said.
> >
> > i started a packet capture, then started radiusd -X and tried to sign
> > into my switch. the switch requested a specific VSA, radius looked up
> > my group memberships, found all of them, including the one with the
> > radiusreplyitem, and replies with an Access-Accept. what is missing is
> > the radiusreplyitem value/string in the Access-Accept message. the
> > group i am member of has the attribute, and the value is correct, but
> > radius is not replying with it. where am supposed to tell radius to
> > reply with the replyitem?
>
> The update block in the LDAP module config.
>
> update {
> reply: += 'replyItem'
> }
>
> There's already an example line, you just need to uncomment it.
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HUZZAH TO THE ARRAN FOR HIS INSIGHT AND ASSISTANCE!!! HowTo doc to
follow in a separate thread.
More information about the Freeradius-Users
mailing list