LDAP group check not working with SQL expansion

Klara Mall klara.mall at kit.edu
Tue Jul 25 00:18:01 CEST 2017


On 07/24/2017 11:35 PM, Arran Cudbard-Bell wrote:
>> I'm using FreeRADIUS Version 3.0.12.
>> I'm doing EAP-TTLS/PAP and I have the following policy in the
>> authorize section of the inner tunnel virtual server (same behaviour
>> when it's in post-auth):
> That's an odd one, feel free to open a GitHub issue.
> For a quick workaround, you may be able to copy the value of the expansion to a temporary attribute and use that.
> i.e.
> update request {
> 	Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
> }
> if (LDAP-Group == &Tmp-String-0) {
> 	update reply {
> 		Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
> 		Tunnel-Type := VLAN
> 		Tunnel-Medium-Type := IEEE-802
> 	}
> }
> Let me know if it works.  May give some insight as to what's going on.

Thanks for your quick response. Tried it but when I start freeradius:

/etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: Parse error in condition
/etc/freeradius/3.0/policy.d/w2vgroupcheck[8]: (LDAP-Group ==
&Tmp-String-0) {
/etc/freeradius/3.0/policy.d/w2vgroupcheck[8]:  ^ Cannot use attribute
reference on right side of condition
Errors reading or parsing /etc/freeradius/3.0/radiusd.conf

As you suggested I will open a GitHub issue. But are there any other
suggestions for a workaround? Unfortunately I really need one. I thought
about doing the group check more explicitly. Ist that possible somehow?


More information about the Freeradius-Users mailing list