How to add VAP based on LDAP group membership

Thomas Stather Thomas.Stather at mpimf-heidelberg.mpg.de
Mon Feb 22 14:01:09 CET 2016 

Hi

I wrote a snippet in policy.d to create a VAP i can then use for the LDAP query:

mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})'

# add a VAP "LDAP-MacAddress" to be used for ldap query
# Calling-Station-Id has already been normalized by the "rewrite-calling-station-id" function
add-mac-ldap {
 if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) {
 update control {
 LDAP-MacAddress := "%{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}"
 }
 updated
 }
 else {
 noop
 }
}

And then addid this VAP into the dictionary:

ATTRIBUTE LDAP-MacAddress 3000 string

The LDAP query that i use is:

if ("%{ldap1:ldap:///ou=hosts,dc=testdomain,dc=de?macAddress?sub?macAddress=%{LDAP-MacAddress}}") {
...
}


but its still not working. The log shows:
(53) post-auth {
(53) policy add-mac-ldap {
(53) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(53) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE
(53) if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(53) update control {
(53) EXPAND %{tolower:%{1}:%{2}:%{3}:%{4}:%{5}:%{6}}
(53) --> a4:34:d9:22:da:5d
(53) LDAP-MacAddress := a4:34:d9:22:da:5d
(53) } # update control = noop
(53) [updated] = updated
(53) } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated
(53) ... skipping else for request 53: Preceding "if" was taken
(53) } # policy add-mac-ldap = updated
(53) if (Realm == "testdomain.de") {
(53) if (Realm == "testdomain.de") -> TRUE
(53) if (Realm == "testdomain.de") {
(53) if ("%{ldap1:ldap:///ou=hosts,dc=testdomain,dc=de?macAddress?sub?macAddress=%{LDAP-MacAddress}}") {
rlm_ldap (ldap1): Reserved connection (8)
(53) Performing search in "ou=hosts,dc=testdomain,dc=de" with filter "macAddress=", scope "sub"
(53) Waiting for search result...
(53) Search returned no results
rlm_ldap (ldap1): Released connection (8)
(53) EXPAND %{ldap1:ldap:///ou=hosts,dc=testdomain,dc=de?macAddress?sub?macAddress=%{LDAP-MacAddress}}
(53) -->
(53) if ("%{ldap1:ldap:///ou=hosts,dc=testdomain,dc=de?macAddress?sub?macAddress=%{LDAP-MacAddress}}") -> FALSE
(53) else {
(53) update reply {
(53) Aruba-User-Vlan = 500
(53) } # update reply = noop
(53) } # else = noop
(53) } # if (Realm == "testdomain.de") = noop
(53) ... skipping else for request 53: Preceding "if" was taken
(53) } # post-auth = updated


What am i doing wrong?

Best,
Thomas

Am 22.02.16 12:01 nachm. schrieb Thomas Stather  <Thomas.Stather at mpimf-heidelberg.mpg.de>: 
> 
> 
>   
> 
> 
> 
>  Hi
>  
>  Thanks a lot Stefan Paetow and Michael Ströder for pointing me in the right direction :)
>  Now i have another (but hopefully not difficult to solve) problem.
>  
>  I get "Search returned no results" ouput which is obvious, since the mac-address VAP (after "rewrite-calling-station-id") has the format:
>  
>  AA-BB-CC-DD-EE-FF
>  
>  but on the ldap-server, the format is
>  
>  aa:bb:cc:dd:ee:ff
>  
>  How can i rewrite the mac address only for this ldap query (and not globally)? I hope then it will work in my case.
>  
>  
>  Best,
>  
>  Thomas
>  
>  
>  
> 
> Am 22.02.2016 um 10:25 schrieb Stefan Paetow:
>  
>  
> >  
> > >  
> > > if ("%{redundant_ldap:///ou=hosts,dc=testdomain,dc=de?macAddress?sub?macAddress=%{Calling-Station-Id}}") { update reply { Aruba-User-Vlan = "200" }}
> > >  
> >  
> > Try:if ("%{redundant_ldap:ldap:///ou=hosts,dc=testdomain,dc=de?macAddress?sub?macAddress=%{Calling-Station-Id}}") {::}Your original statement just refers to the ldap module, so it's seen as 'feed "///ou=hosts,..." to redundant_ldap', not 'feed "ldap:///ou=hosts,..."(ldap:///ou=hosts,...) to redundant_ldap'.:-)Stefan PaetowMoonshot Industry & Research Liaison Coordinatort: +44 (0)1235 822 125gpg: 0x3FCE5142xmpp: stefanp at jabber.dev.ja.net(javascript:main.compose()skype: stefan.paetow.janetjisc.ac.ukNetworkshop44, University of Manchester. Save the date: 22-24 March, 2016. #NWS44Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
> >  
> >   
> >  
> > -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >  
>  
>  
> -- Thomas StatherIT ServicesTel: +49 6221-486 628Fax: +49 6221-486 561------------------------------------------------------------------------Max Planck Institute for Medical Research (MPImF)Jahnstrasse 29, 69120 HeidelbergGermany 
> 
>  
>

More information about the Freeradius-Users mailing list