Version 3 ldap Generic
Alan DeKok
aland at deployingradius.com
Tue Oct 14 15:12:34 CEST 2014
Cody Ritts wrote:
> I am upgrading from FR 1.1 to 3.0.4.
That's good.
> The example ldap contents of dslACLin and dslACLout are:
>> dslACLin: cisco-avpair += "ip:inacl=OUTBOUND"
>> dslACLout: cisco-avpair += "ip:outacl=FIREWALL"
>
>
> So, in my mods-enabled/ldap, when I added:
>> valuepair_attribute = "dslACLin"
>
> In my radtest reply, I do get a:
>> Cisco-AVPair = "ip:inacl=OUTBOUND"
That's good.
> But based on one of the other threads and the way that it is configured,
> I will assume that "valuepair_attribute =" is only good once?
Yes.
> so I add:
>> reply: += 'dslACLout'
>
> Then radiusd -X gets:
>>> /usr/local/etc/raddb/mods-enabled/ldap[85]: Invalid source for list '+='
Yes, sorry. That comes from overloading the meaning of the "update"
sections.
Hmm... the *intent* was to allow it. But it looks like the sanity
checks in the rest of the code don't allow it.
This is why I'm against re-using the same name ("update") in a
different context, with different semantics. It's inconsistent, and it
can break things.
> So I dont know what I am doing wrong there, but I also bear in mind that
> this is just a "compatibility" feature, so when that gets dropped I will
> still be in the same spot.
It won't get dropped. But it should get fixed.
> That makes me wonder about how I should have done that in the first
> place. I suppose I used GENERIC because it was in the same file as the
> other attributes, I tried it and it worked. Is there a "more correct"
> way of doing that for long term support? Like creating dictionary
> entries for those attributes then map them?
No. It's a bug. It should get fixed.
> Also, as an interim solution until I can update my schema and management
> applications, if I add dslACLout to the dictionary, and map it, then is
> it possible to use unlang and regex in post-auth/"update reply" to parse
> "cisco-avpair +=" out of dslACLout and then add it back in as cisco-avpair?
Yes, but it's awkward.
Alan DeKok.
More information about the Freeradius-Users
mailing list