Preserve ldap attributes after proxy
Tamás Becz
tamas.becz at ericsson.com
Sun Nov 9 11:58:05 CET 2014
Hi,
> > Now with a new solution I also need to query a central ldap database
> > for authorization info: I need to get a given attribute off of user
> > records and present them to the NAS. I was pointing my finger at
> > Filter-Id, but purely because the NAS docs points at it, it could really
be
> anything.
>
> You probably don't want to use Filter-ID. It has a pre-defined meaning.
> Using it for another purpose is bad.
>
Yes I got that, but the NAS (which is mainly a VPN concentrator) actually
uses the value for assigning firewall rules to the user's session which is
precisely what Filter-Id is for if I understand the rfc correctly. Due to
the complexity of the nas, it also does other stuff based on this, but
filter-id really is the closest in rfc 3850 (Probably this is why they are
also pointing at this). However, I will check how hard it is extend with a
vendor-specific instead.
>
> > However, when I then proxy the request these extra Filter-Ids are
> > lost: they are neither proxied (which is just as well, I really don't
> > know what would the homeserver do about it) nor are they sent in my
> > reply. I've found traces of something like this being discussed that
> > this is because there is a separate data structure, but that is over a
> > decade old, and I'm a bit confused on how this supposed to work.
>
> What you're *not* saying is that you're putting the Filter-ID into the
reply
> list. That gets replaced by the reply from the home server.
>
> If you want the attributes kept... put them in another list.
>
Actually I did ;) But for sure it's only because rlm_ldap either does that
or onto the check list, thanks for the clarification.
> > Is there a way to keep does attributes (or to get them after proxying,
> > either in post-proxy or post-auth maybe?) by using rlm_ldap?
>
> No. Put the attributes into the "control" list. That's what it's for.
Then, copy
> them to the reply in post-auth.
>
Currently I can't test, but do I understand correctly that rlm_ldap can't
put things on the control list, but I could use unlang to copy the
attributes from reply to control in authorize after ldap, then copy them
back in post-auth?
Thanks!
tamas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5115 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141109/24294f82/attachment.bin>
More information about the Freeradius-Users
mailing list