post-auth and ldap problem
Coil93
coil93 at gmail.com
Tue May 5 16:46:45 CEST 2015
Hi,
I'm using freeradius-3.0.8 for basic authz with AD integration.
My config is very simple.
./sites-enabled/test
authorize {
ldap
if (!ok) {
reject
} else {
update control {
Auth-Type := Accept
}
}
}
post-auth {
ldap
}
./mods-enabled/ldap
ldap {
server = 'ldaps://192.168.0.1'
server = 'ldaps://192.168.0.2'
identity = 'cn=Radius Server,ou=services,dc=test,dc=com'
password = *****
user {
base_dn = 'ou=wifi,dc=test,dc=com'
}
post-auth {
update {
description += "Authenticated at %S"
}
}
}
So, I want to modify "Description" field for AD user to add a new value
to an existing record, but not to replace it.
The problem is that radiusd is unwilling to modify the existing value
with += operator and sending Auth-Type Reject to NAS.
(2) # Executing section post-auth from file /etc/raddb/sites-enabled/alpha
(2) post-auth {
(2) ldap: EXPAND .
(2) ldap: --> .
(2) ldap: EXPAND Authenticated at %S
(2) ldap: --> Authenticated at 2015-05-05 17:23:03
rlm_ldap (ldap): Reserved connection (4)
(2) ldap: Using user DN from request "CN=Sony Xperia
Z,OU=WiFi,DC=test,DC=com"
(2) ldap: Modifying object with DN "CN=Sony Xperia Z,OU=WiFi,DC=test,DC=com"
(2) ldap: Waiting for modify result...
(2) ldap: ERROR: Failed modifying object: Type or value exists
(2) ldap: ERROR: Server said: 00002081: AtrErr: DSID-030F154F, #1: 0:
00002081: DSID-030F154F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att
d (description) .
rlm_ldap (ldap): Released connection (4)
(2) [ldap] = fail
(2) } # post-auth = fail
(2) Using Post-Auth-Type Reject
When used the := operator, radiusd will replace all data in Description
field with "Authenticated at 2015-05-05 17:23:03" string without any
problem.
My question is Is there any way to append value, not replace, for AD
attributes? How to avoid rejects with failed post-auth status?
Thank you,
JM
More information about the Freeradius-Users
mailing list