debug User-Profile
Anirudh Malhotra
8zero2ops at gmail.com
Thu Mar 24 05:40:10 CET 2016
Why are you updating reply? User profile should be in the request for radius to be able to check its attributes!
BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in
On 18 Mar 2016, 14:56 +0530, MichaelLeung<gbcbooksmj at gmail.com>, wrote:
> there are more
>
> in the LDAP server
> in your profile store dn
> 1.add a radiusprofile objectclass
> 2.add radiusProfiledn
> set its values with its own dn
> 3.add radiusReplyItem attribute
> add the first value:
> Reply-Message += "Welcome administrator %{User-Name}"
> add the second value:
> Huawei-Exec-Privilege := 15
>
> and then
> valuepair_attribute = "radiusReplyItem" this setting will retrieve
> radiusReplyItem's values and add to raidius reply section.
>
>
>
> that all.
>
> On 03/18/2016 05:05 PM, MichaelLeung wrote:
> > hope this could he more people
> >
> > On 03/18/2016 04:55 PM, MichaelLeung wrote:
> > > finially, i config out how it works
> > >
> > > first, edit mods-available/ldap
> > > in global section
> > > add:
> > >
> > > valuepair_attribute = "radiusReplyItem"
> > >
> > > in profile section
> > > uncommecnt and change the default values
> > > profile {
> > > default = "%{control:User-Profile}"
> > > }
> > >
> > > go to policy.d/ directory
> > > create a policy , whatever your name it
> > > whatevername {
> > > if (Ldap-Group == "groupname in LDAP, or DN") {
> > > update {
> > > $control:User-Profile == "profile dn in LDAP"
> > > }
> > > updated
> > > }
> > > else {
> > > reject
> > > }
> > > }
> > >
> > > go to site-available/ directory
> > >
> > > edit the virtual server you want
> > >
> > > in the authorize section
> > >
> > > add the policy in to it
> > >
> > >
> > >
> > >
> > >
> > > On 03/18/2016 02:07 PM, MichaelLeung wrote:
> > > > i find this in wiki.freeradius.org
> > > >
> > > >
> > > > LDAP ATTRIBUTES
> > > >
> > > > In version 2, the mapping between RADIUS attributes
> > > > <http://wiki.freeradius.org/protocol/Attributes>and LDAP
> > > > <http://wiki.freeradius.org/protocol/LDAP>attributes is in
> > > > raddb/ldap.attrmap. You can edit that file and add any new mapping
> > > > that you may need. The LDAP-schema file is located in
> > > > doc/RADIUS-LDAPv3.schema. Before adding any radius attributes the
> > > > ldap server schema should be updated.
> > > >
> > > > All ldap entries containing radius attributes should contain at
> > > > least "objectclass: radiusprofile"
> > > >
> > > > radiusCheckItem and radiusReplyItem are special. They allow the
> > > > administrator to add any check or reply item respectively without
> > > > adding it in the ldap schema. The format should be:
> > > >
> > > > ldap-attribute: radius-attribute operator value
> > > >
> > > > The version 3 attribute mapping is in the module configuration file
> > > > |raddb/mods-available/ldap|
> > > >
> > > > For Example:
> > > >
> > > > radiusReplyItem: Cisco-AVPair := "ip:addr-pool=dialin_pool"
> > > >
> > > >
> > > > but i dont understand , if we mapping the radius attr and ldap attr,
> > > > then give it a values , why do we stored the replyitem in LDAP.
> > > >
> > > >
> > > > On 03/18/2016 01:46 PM, MichaelLeung wrote:
> > > > > does freeradius 3.0.4 still have ldap.attrmap ?
> > > > >
> > > > > On 03/18/2016 12:46 PM, MichaelLeung wrote:
> > > > > > how can i get radiusReplyItem from LDAP?
> > > > > >
> > > > > > On 03/18/2016 09:25 AM, MichaelLeung wrote:
> > > > > > > any help ?
> > > > > > >
> > > > > > > On 03/17/2016 05:31 PM, MichaelLeung wrote:
> > > > > > > > any reply ?
> > > > > > > >
> > > > > > > > On 03/17/2016 03:20 PM, MichaelLeung wrote:
> > > > > > > > > well , i define a ldap-group check policy
> > > > > > > > >
> > > > > > > > > #
> > > > > > > > > devicemanager_check {
> > > > > > > > > if (Ldap-Group == "DeviceManager") {
> > > > > > > > > update reply {
> > > > > > > > > &User-Profile :=
> > > > > > > > > "cn=DeviceManager,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com"
> > > > > > > > > }
> > > > > > > > > }
> > > > > > > > > elsif (Ldap-Group == "Device_Write") {
> > > > > > > > > update reply {
> > > > > > > > > &Reply-Message += "Welcome,Device Operator"
> > > > > > > > > }
> > > > > > > > > }
> > > > > > > > > elsif (Ldap-Group == "Device_Reivew") {
> > > > > > > > > update reply {
> > > > > > > > > &Reply-Message += "Welcome Device Reviewer"
> > > > > > > > > }
> > > > > > > > > }
> > > > > > > > > else {
> > > > > > > > > update reply {
> > > > > > > > > &Reply-Message += "you are not
> > > > > > > > > authorized to access , please confirm that you have the
> > > > > > > > > permission..."
> > > > > > > > > }
> > > > > > > > > reject
> > > > > > > > > }
> > > > > > > > > }
> > > > > > > > >
> > > > > > > > > i am not sure that user override the User-Profile or not.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On 03/17/2016 10:56 AM, MichaelLeung wrote:
> > > > > > > > > > hi list
> > > > > > > > > >
> > > > > > > > > > my freeradius version is 3.0.4
> > > > > > > > > >
> > > > > > > > > > i have enabled ldap modules and the radius profile feature of it .
> > > > > > > > > >
> > > > > > > > > > and i need to check the user is in the speacific Ldap-Group,
> > > > > > > > > > and assign the User-Profile which contain all radius
> > > > > > > > > > Reply-Items in it .
> > > > > > > > > > so when my NAS try to authenticate , i can only see radius
> > > > > > > > > > -X responding :
> > > > > > > > > > (0) Sending Access-Accept packet to host 10.1.1.13 port 1812,
> > > > > > > > > > id=96, length=0
> > > > > > > > > > (0) User-Profile :=
> > > > > > > > > > 'cn=Device_Superior,ou=Admin,ou=Group,dc=gd,dc=abc,dc=com'
> > > > > > > > > > it was not going to print out what reply item the User-Profile
> > > > > > > > > > contained.
> > > > > > > > > > and actually, i define the reply item as
> > > > > > > > > > Huawei-Exec-Privilege := "15"
> > > > > > > > > > it will give the highest admin right to the user belong to
> > > > > > > > > > Group Device_Superior to Operate the Device .
> > > > > > > > > >
> > > > > > > > > > how can i debug the User-Profile?
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list