Multi-valued LDAP attribute configuration

Srinivasa R srinivasa.r at icts.res.in
Wed Sep 13 13:26:11 CEST 2017 

Hi Peter,


On Wed, Sep 13, 2017 at 2:51 AM, Peter Lambrechtsen <peter at crypt.nz> wrote:

> What you should do a ldap query based on the incoming MAC address:
>
>         user {
>                 filter = "(userServices=%{User-Name})"
>
> Assuming the User-Name is the MAC address of the incoming client. The
> "userServices" I assume is the multi-valued attribute in your ldap
> directory.
>
> I have tried this, but it checking for the first value only and accepting
only for the first filed value out of three.



> Then if you get a response you know the record exists, otherwise it doesn't
> and reject the request.
>
>
>
> On Wed, Sep 13, 2017 at 4:36 AM, Steffen Klemer <steffen.klemer at gwdg.de>
> wrote:
>
> > Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R
> > <srinivasa.r at icts.res.in>:
> >
> > > I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS and
> > > configured the external authentication with 389-DS server using
> > > rlm_ldap module. I would like to authenticate the mac address of all
> > > the user which I have stored in LDAP. The macaddress field in LDAP is
> > > a multi value attribute and the Freeraiud is communicating with LDAP
> > > without any issues, but the freeradius is authenticating only the
> > > first macaddress value from LDAP's multi value field.
> > >
> > > I would like to configure the Freeradius to authenticate all the
> > > values from multi value filed. Someone suggested that we can
> > > configure this using rlm_python or rlm_perl module. I am not a coder
> > > and I am not able to find any step by guide to configure the same.
> > > Could someone guide me on how to configure the Freeradius to
> > > authenticate Multi-valued LDAP attribute?
> >
> > I used unlang features to implement sth. like this. I think you can
> > adapt it to your use case.
> >
> >
> > In the LDAP module I have sth like
> >
> > update {
> >   request:gwdg-user-services += 'userServices'
> > }
> >
> > where userServices is multi-valued and sometimes included
> > 'eduroamNotAllowed'
> >
> >
> > In the site I check against all occurrences:
> >
> > if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) {
> > ...
> > }
> >
> >
> > lg
> > /Steffen
> >
> > --
> > Steffen Klemer                     E-Mail: Steffen.Klemer at gwdg.de
> >                                    Tel:    +49 551 201 2170
> >
> > ------------------------------------------------------------------
> > GWDG - Gesellschaft für wissenschaftliche
> > Datenverarbeitung mbH Göttingen
> > Am Faßberg 11, 37077 Göttingen
> >
> > Service-Hotline:
> > Tel:    +49 551 201-1523
> > E-Mail: support at gwdg.de
> >
> > Kontakt:
> > Tel:    0551 201-1510
> > Fax:    0551 201-2150
> > E-Mail: gwdg at gwdg.de
> > WWW:    https://www.gwdg.de
> > ------------------------------------------------------------------
> > Geschäftsführer:           Prof. Dr. Ramin Yahyapour
> > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger
> > Sitz der Gesellschaft:     Göttingen
> > Registergericht: Göttingen, Handelsregister-Nr. B 598
> > ------------------------------------------------------------------
> > Zertifiziert nach ISO 9001
> > ------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> >
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


Regards,
-- 

Srinivas R

More information about the Freeradius-Users mailing list