session log in SQL

Khapare Joshi khapare77 at gmail.com
Mon Apr 20 20:28:17 CEST 2015 

well, I have done this way and it seem to work. Why it did not work before
- I don't know.

Added in /etc/raddb/ldap.attr
checkItem       affiliation                     eduPersonPrimaryAffiliation

In /etc/raddb/dictonary

ATTRIBUTE       affiliation             3004    string

enabled ldap module in /etc/raddb/site-enabled/default

then in /etc/raddb/stie-enable/inner-tunnel
 update request {
                affiliation :=
"%{ldap:ldap:///dc=example,dc=IcomeduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}"
                }

                if (affiliation == "student") {
                        update control {
                        Simultaneous-Use := 1
                        }
                }

                if (affiliation == "staff") {
                         update control {
                            Simultaneous-Use := 3
                   }
                }

This works as it should be. But why this did not work before I have no
clue. the 4th attempt actually get rejected


In radius -X, I can see this has been rejected

  [ldap] - ldap_xlat
expand:
ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}
-> ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=testsim
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com, with filter uid=testsim
  [ldap] Adding attribute eduPersonPrimaryAffiliation, value: staff
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] - ldap_xlat end
expand:
%{ldap:ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}
-> staff
++} # update request = noop
++? if (affiliation == "student")
? Evaluating (affiliation == "student") -> FALSE
++? if (affiliation == "student") -> FALSE
++? if (affiliation == "staff")
? Evaluating (affiliation == "staff") -> TRUE
++? if (affiliation == "staff") -> TRUE
++if (affiliation == "staff") {
+++update control {
+++} # update control = noop
++} # if (affiliation == "staff") = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section session from file /etc/raddb/sites-enabled/inner-tunnel
+group session {
[sql] expand: %{Stripped-User-Name} -> testsim
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim
[sql] sql_set_user escaped user --> 'testsim'
[sql] expand: SELECT COUNT(*)                              FROM radacct
                         WHERE username = '%{SQL-User-Name}'
               AND acctstoptime IS NULL -> SELECT COUNT(*)
             FROM radacct                              WHERE username =
'testsim'                              AND acctstoptime IS NULL
rlm_sql (sql): Reserving sql socket id: 14
rlm_sql (sql): Released sql socket id: 14
++[sql] = ok
+} # group session = ok
Multiple logins (max 3) : [testsim at example.com] (from client
nas1.example.com port 7705 cli 2064.3261.6d2d via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> testsim at example.com
attr_filter: Matched entry DEFAULT at line 11


It still says +++} # update control = noop

but works :)







On Wed, Apr 8, 2015 at 3:56 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Apr 8, 2015, at 6:22 AM, Khapare Joshi <khapare77 at gmail.com> wrote:
> > I did mistake on regex thing because I was also testing same with
> > affiliation and had this lines before I turn to test gid thing. sorry for
> > this
>
>   If you can't keep track of what you're doing, you will never solve the
> problem.
>
> > This did not work either.
>
>   Probably for the same reason.  You want one thing from the server, and
> you've configured it to do something else.
>
> > I checked both debug output, the first one (DEFAULT Simultaneous-Use :=
> > 1          Fall-Through = 1)  actually executes session but i don't see
> > these lines when i perform test with gidnumber check statement.
>
>   So read the debug output to see why.
>
> > ++? if (gidnumber < 200)
> >    (Attribute gidnumber was not found)
>
>   Doesn't that tell you anything?
>
>   You've configured the LDAP module to add the attribute to the CHECK
> items, and you're then looking for it in the REQUEST items.
>
>   This is all documented, and it's all available in the debug output.
>
>   I get the feeling that 3/4 of my posts here are just convincing people
> to READ the messages that they post to the list.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list