freeradius 3.0.13 LDAP - reply custom Vendor Specific
Paweł cit
pawelcit at gmail.com
Thu Nov 30 18:08:30 CET 2017
I try many possibilities but still no luck. In documentation:
http://wiki.freeradius.org/modules/Rlm_ldap there is:
in file raddb/mods-available/ldap put:
For Example:
radiusReplyAttribute: Cisco-AVPair := "ip:addr-pool=dialin_pool"
So I try radiusReplyAttribute: Attr-26 := "0x483d342c20493d34" (with space
between "bute: Attr" and without (both this gives error):
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
reply:Reply-Message := 'radiusReplyMessage'
radiusReplyAttribute: attr-26 := "0x483d342c20493d34"
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID :=
'radiusTunnelPrivategroupId'
# Where only a list is specified as the RADIUS attribute,
# the value of the LDAP attribute is parsed as a valuepair
# in the same format as the 'valuepair_attribute' (above).
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
I also tried:
post-auth {
update {
description := "Authenticated at %S"
reply:Attr-26 := "0x483d342c20493d34"
}
}
or
post-auth {
update {
description := "Authenticated at %S"
}
reply {
Attr-26 := "0x483d342c20493d34"
}
}
doest work either :(
2017-11-30 17:39 GMT+01:00 Alan DeKok <aland at deployingradius.com>:
>
> > On Nov 30, 2017, at 11:17 AM, Paweł cit <pawelcit at gmail.com> wrote:
> >
> > I have a feeling that you mistook Supermicro's IPMI with freeIPA. Am I
> > right?
>
> I have no idea what you're doing. I can only go by what you say. If
> what you say is confusing (and it is), then... that's to be expected.
>
> > freeradius is just using freeipa's user database. I try to configure
> > freeradius to work with IPMI. My problem is similar to this:
> > http://lists.freeradius.org/pipermail/freeradius-users/
> 2015-October/080240.html
> > I still have no idea how to connect IPMI to freeradius. In Supermicro's
> > documentation there's only:
> >
> > 2.2. Configuring User information
> > #vi /etc/raddb/users
> >
> > Example:
> > myuser Auth-Type :=Local, User-Password == “123456”
> > Vendor-Specific = “H=4, I=4”
>
> Oh god, THAT shit again? I should find the SuperMicro people and slap
> them. That's a *stupid* thing to do, which violates all of the RADIUS RFCs.
>
> It's really quite simple then. You use THAT EXAMPLE to send the data
> back. You DON'T edit the dictionaries.
>
> > In my case difference is that I have user's in LDAP, not in file.
>
> So you need to configure the attribute "Vendor-Specific" as an LDAP
> reply, with contents "H=4,I=4"
>
> The LDAP module documentation describes how to configure reply
> attributes. Follow that.
>
> If you can't send "Vendor-Specific" back as-is (and I think you can't),
> you will need to use raw attributes.
>
> i.e. use "Attr-26" as the attribute name, and a hex string as the
> contents. The hex string should be the hex version of the "H=4, I=4”
> string.
>
> e.g. Attr-26 = 0x48....
>
> and convert the rest of the string to hex.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list