Version 3 ldap Generic
Cody Ritts
cr at caltel.com
Tue Oct 14 16:17:48 CEST 2014
On 10/14/14, Alan DeKok wrote:
>> so I add:
>>> reply: += 'dslACLout'
>>
>> Then radiusd -X gets:
>>>> /usr/local/etc/raddb/mods-enabled/ldap[85]: Invalid source for list '+='
>
> Yes, sorry. That comes from overloading the meaning of the "update"
> sections.
>
> Hmm... the *intent* was to allow it. But it looks like the sanity
> checks in the rest of the code don't allow it.
>
> This is why I'm against re-using the same name ("update") in a
> different context, with different semantics. It's inconsistent, and it
> can break things.
>
>> So I dont know what I am doing wrong there, but I also bear in mind that
>> this is just a "compatibility" feature, so when that gets dropped I will
>> still be in the same spot.
>
> It won't get dropped. But it should get fixed.
Ok, good to know, thank you very much. Should I create a bug report?
>> Also, as an interim solution until I can update my schema and management
>> applications, if I add dslACLout to the dictionary, and map it, then is
>> it possible to use unlang and regex in post-auth/"update reply" to parse
>> "cisco-avpair +=" out of dslACLout and then add it back in as cisco-avpair?
>
> Yes, but it's awkward.
Just for future thread searches and completeness, this is the kludge I
stuck in my server config which seems to get the job done for the time
being.
post-auth {
## dslACLin = "cisco-avpair += \"ip:inacl=OUTBOUND\""
if ("%{reply:dslACLin}" =~ /^cisco-avpair \\+=
\\\\\"(.*)\\\\.*$/i) {
update reply {
Cisco-AVPair += "%{1}"
}
}
if ("%{reply:dslACLout}" =~ /^cisco-avpair \\+=
\\\\\"(.*)\\\\.*$/i) {
update reply {
Cisco-AVPair += "%{1}"
}
}
Thanks again for your help and making such a versatile tool.
Cody
More information about the Freeradius-Users
mailing list