LDAP group check not working with SQL expansion
Klara Mall
klara.mall at kit.edu
Tue Jul 25 00:18:01 CEST 2017
Hi,
On 07/24/2017 11:35 PM, Arran Cudbard-Bell wrote:
>
>> I'm using FreeRADIUS Version 3.0.12.
>>
>> I'm doing EAP-TTLS/PAP and I have the following policy in the
>> authorize section of the inner tunnel virtual server (same behaviour
>> when it's in post-auth):
>
> That's an odd one, feel free to open a GitHub issue.
>
> For a quick workaround, you may be able to copy the value of the expansion to a temporary attribute and use that.
>
> i.e.
>
> update request {
> Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
> }
>
> if (LDAP-Group == &Tmp-String-0) {
> update reply {
> Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
> Tunnel-Type := VLAN
> Tunnel-Medium-Type := IEEE-802
> }
> }
>
> Let me know if it works. May give some insight as to what's going on.
Thanks for your quick response. Tried it but when I start freeradius:
/etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: Parse error in condition
/etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: (LDAP-Group ==
&Tmp-String-0) {
/etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: ^ Cannot use attribute
reference on right side of condition
Errors reading or parsing /etc/freeradius/3.0/radiusd.conf
As you suggested I will open a GitHub issue. But are there any other
suggestions for a workaround? Unfortunately I really need one. I thought
about doing the group check more explicitly. Ist that possible somehow?
Thanks
Klara
More information about the Freeradius-Users
mailing list