session log in SQL
Khapare Joshi
khapare77 at gmail.com
Mon Apr 20 20:28:17 CEST 2015
well, I have done this way and it seem to work. Why it did not work before
- I don't know.
Added in /etc/raddb/ldap.attr
checkItem affiliation eduPersonPrimaryAffiliation
In /etc/raddb/dictonary
ATTRIBUTE affiliation 3004 string
enabled ldap module in /etc/raddb/site-enabled/default
then in /etc/raddb/stie-enable/inner-tunnel
update request {
affiliation :=
"%{ldap:ldap:///dc=example,dc=IcomeduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}"
}
if (affiliation == "student") {
update control {
Simultaneous-Use := 1
}
}
if (affiliation == "staff") {
update control {
Simultaneous-Use := 3
}
}
This works as it should be. But why this did not work before I have no
clue. the 4th attempt actually get rejected
In radius -X, I can see this has been rejected
[ldap] - ldap_xlat
expand:
ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}
-> ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=testsim
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=example,dc=com, with filter uid=testsim
[ldap] Adding attribute eduPersonPrimaryAffiliation, value: staff
[ldap] ldap_release_conn: Release Id: 0
[ldap] - ldap_xlat end
expand:
%{ldap:ldap:///dc=example,dc=com?eduPersonPrimaryAffiliation?sub?uid=%{Stripped-User-Name}}
-> staff
++} # update request = noop
++? if (affiliation == "student")
? Evaluating (affiliation == "student") -> FALSE
++? if (affiliation == "student") -> FALSE
++? if (affiliation == "staff")
? Evaluating (affiliation == "staff") -> TRUE
++? if (affiliation == "staff") -> TRUE
++if (affiliation == "staff") {
+++update control {
+++} # update control = noop
++} # if (affiliation == "staff") = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section session from file /etc/raddb/sites-enabled/inner-tunnel
+group session {
[sql] expand: %{Stripped-User-Name} -> testsim
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} -> testsim
[sql] sql_set_user escaped user --> 'testsim'
[sql] expand: SELECT COUNT(*) FROM radacct
WHERE username = '%{SQL-User-Name}'
AND acctstoptime IS NULL -> SELECT COUNT(*)
FROM radacct WHERE username =
'testsim' AND acctstoptime IS NULL
rlm_sql (sql): Reserving sql socket id: 14
rlm_sql (sql): Released sql socket id: 14
++[sql] = ok
+} # group session = ok
Multiple logins (max 3) : [testsim at example.com] (from client
nas1.example.com port 7705 cli 2064.3261.6d2d via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} -> testsim at example.com
attr_filter: Matched entry DEFAULT at line 11
It still says +++} # update control = noop
but works :)
On Wed, Apr 8, 2015 at 3:56 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Apr 8, 2015, at 6:22 AM, Khapare Joshi <khapare77 at gmail.com> wrote:
> > I did mistake on regex thing because I was also testing same with
> > affiliation and had this lines before I turn to test gid thing. sorry for
> > this
>
> If you can't keep track of what you're doing, you will never solve the
> problem.
>
> > This did not work either.
>
> Probably for the same reason. You want one thing from the server, and
> you've configured it to do something else.
>
> > I checked both debug output, the first one (DEFAULT Simultaneous-Use :=
> > 1 Fall-Through = 1) actually executes session but i don't see
> > these lines when i perform test with gidnumber check statement.
>
> So read the debug output to see why.
>
> > ++? if (gidnumber < 200)
> > (Attribute gidnumber was not found)
>
> Doesn't that tell you anything?
>
> You've configured the LDAP module to add the attribute to the CHECK
> items, and you're then looking for it in the REQUEST items.
>
> This is all documented, and it's all available in the debug output.
>
> I get the feeling that 3/4 of my posts here are just convincing people
> to READ the messages that they post to the list.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list