debug User-Profile
MichaelLeung
gbcbooksmj at gmail.com
Fri Mar 18 10:05:28 CET 2016
hope this could he more people
On 03/18/2016 04:55 PM, MichaelLeung wrote:
> finially, i config out how it works
>
> first, edit mods-available/ldap
> in global section
> add:
>
> valuepair_attribute = "radiusReplyItem"
>
> in profile section
> uncommecnt and change the default values
> profile {
> default = "%{control:User-Profile}"
> }
>
> go to policy.d/ directory
> create a policy , whatever your name it
> whatevername {
> if (Ldap-Group == "groupname in LDAP, or DN") {
> update {
> $control:User-Profile == "profile dn in LDAP"
> }
> updated
> }
> else {
> reject
> }
> }
>
> go to site-available/ directory
>
> edit the virtual server you want
>
> in the authorize section
>
> add the policy in to it
>
>
>
>
>
> On 03/18/2016 02:07 PM, MichaelLeung wrote:
>> i find this in wiki.freeradius.org
>>
>>
>> LDAP ATTRIBUTES
>>
>> In version 2, the mapping between RADIUS attributes
>> <http://wiki.freeradius.org/protocol/Attributes> and LDAP
>> <http://wiki.freeradius.org/protocol/LDAP> attributes is in
>> raddb/ldap.attrmap. You can edit that file and add any new mapping
>> that you may need. The LDAP-schema file is located in
>> doc/RADIUS-LDAPv3.schema. Before adding any radius attributes the
>> ldap server schema should be updated.
>>
>> All ldap entries containing radius attributes should contain at least
>> "objectclass: radiusprofile"
>>
>> radiusCheckItem and radiusReplyItem are special. They allow the
>> administrator to add any check or reply item respectively without
>> adding it in the ldap schema. The format should be:
>>
>> ldap-attribute: radius-attribute operator value
>>
>> The version 3 attribute mapping is in the module configuration file
>> |raddb/mods-available/ldap|
>>
>> For Example:
>>
>> radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
>>
>>
>> but i dont understand , if we mapping the radius attr and ldap attr,
>> then give it a values , why do we stored the replyitem in LDAP.
>>
>>
>> On 03/18/2016 01:46 PM, MichaelLeung wrote:
>>> does freeradius 3.0.4 still have ldap.attrmap ?
>>>
>>> On 03/18/2016 12:46 PM, MichaelLeung wrote:
>>>> how can i get radiusReplyItem from LDAP?
>>>>
>>>> On 03/18/2016 09:25 AM, MichaelLeung wrote:
>>>>> any help ?
>>>>>
>>>>> On 03/17/2016 05:31 PM, MichaelLeung wrote:
>>>>>> any reply ?
>>>>>>
>>>>>> On 03/17/2016 03:20 PM, MichaelLeung wrote:
>>>>>>> well , i define a ldap-group check policy
>>>>>>>
>>>>>>> #
>>>>>>> devicemanager_check {
>>>>>>> if (Ldap-Group == "DeviceManager") {
>>>>>>> update reply {
>>>>>>> &User-Profile :=
>>>>>>> "cn=DeviceManager,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
>>>>>>> }
>>>>>>> }
>>>>>>> elsif (Ldap-Group == "Device_Write") {
>>>>>>> update reply {
>>>>>>> &Reply-Message += "Welcome,Device Operator"
>>>>>>> }
>>>>>>> }
>>>>>>> elsif (Ldap-Group == "Device_Reivew") {
>>>>>>> update reply {
>>>>>>> &Reply-Message += "Welcome Device Reviewer"
>>>>>>> }
>>>>>>> }
>>>>>>> else {
>>>>>>> update reply {
>>>>>>> &Reply-Message += "you are not
>>>>>>> authorized to access , please confirm that you have the
>>>>>>> permission..."
>>>>>>> }
>>>>>>> reject
>>>>>>> }
>>>>>>> }
>>>>>>>
>>>>>>> i am not sure that user override the User-Profile or not.
>>>>>>>
>>>>>>>
>>>>>>> On 03/17/2016 10:56 AM, MichaelLeung wrote:
>>>>>>>> hi list
>>>>>>>>
>>>>>>>> my freeradius version is 3.0.4
>>>>>>>>
>>>>>>>> i have enabled ldap modules and the radius profile feature of it .
>>>>>>>>
>>>>>>>> and i need to check the user is in the speacific Ldap-Group,
>>>>>>>> and assign the User-Profile which contain all radius
>>>>>>>> Reply-Items in it .
>>>>>>>> so when my NAS try to authenticate , i can only see radius -X
>>>>>>>> responding :
>>>>>>>> (0) Sending Access-Accept packet to host 10.1.1.13 port 1812,
>>>>>>>> id=96, length=0
>>>>>>>> (0) User-Profile :=
>>>>>>>> 'cn=Device_Superior,ou=Admin,ou=Group,dc=gd,dc=abc,dc=com'
>>>>>>>> it was not going to print out what reply item the User-Profile
>>>>>>>> contained.
>>>>>>>> and actually, i define the reply item as
>>>>>>>> Huawei-Exec-Privilege := "15"
>>>>>>>> it will give the highest admin right to the user belong to
>>>>>>>> Group Device_Superior to Operate the Device .
>>>>>>>>
>>>>>>>> how can i debug the User-Profile?
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the Freeradius-Users
mailing list