Multi-valued LDAP attribute configuration

Srinivasa R srinivasa.r at icts.res.in
Wed Sep 13 19:21:20 CEST 2017 

Hi Alister,

When I run LDAP query using the command line tool “ldapsearch” and I get
the following output:

# it section, People, icts.res.in
dn: cn=it section,ou=People,dc=XXXX,dc=XXX,dc=XX
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: ieee802Device
homeDirectory: /home/it
loginShell: /bin/bash
uid: it
cn: it section
uidNumber: 10001
gidNumber: 10000
sn: section
givenName: it
telephoneNumber:
mobile:
macAddress: 28:f1:0e:2a:c1:ac
macAddress: e4:a4:71:a3:88:6f
macAddress: 0c:c4:7a:22:63:23

Regards,
--

Srinivas R

On Wed, Sep 13, 2017 at 8:44 PM, Winfield, Alister <Alister.Winfield at sky.uk>
wrote:

> Do the LDAP query using the command line tool “ldapsearch”.
>
> If you really have a multi-valued attribute with the right value(s) it
> should work.
>
> I’d expect to see something like:
>
>
> dn: cn=foo,dc=bar,dc=com
> cn: foo
> userServices: 00:01:02:03:04:05
> userServices: 0a:0b:0c:0d:0e:0f
> userServices: aa:bb:cc:dd:ee:ff
> objectClass: ….
>>
> In the output of the command line search.
>
> Alister
>
>
> On 13/09/2017, 12:26, "Freeradius-Users on behalf of Srinivasa R"
> <freeradius-users-bounces+alister.winfield=sky.uk at lists.freeradius.org on
> behalf of srinivasa.r at icts.res.in> wrote:
>
>     Hi Peter,
>
>
>     On Wed, Sep 13, 2017 at 2:51 AM, Peter Lambrechtsen <peter at crypt.nz>
> wrote:
>
>     > What you should do a ldap query based on the incoming MAC address:
>     >
>     >         user {
>     >                 filter = "(userServices=%{User-Name})"
>     >
>     > Assuming the User-Name is the MAC address of the incoming client. The
>     > "userServices" I assume is the multi-valued attribute in your ldap
>     > directory.
>     >
>     > I have tried this, but it checking for the first value only and
> accepting
>     only for the first filed value out of three.
>
>
>
>     > Then if you get a response you know the record exists, otherwise it
> doesn't
>     > and reject the request.
>     >
>     >
>     >
>     > On Wed, Sep 13, 2017 at 4:36 AM, Steffen Klemer <
> steffen.klemer at gwdg.de>
>     > wrote:
>     >
>     > > Am Di, 12.09.2017 um 18:30 schrieb Srinivasa R
>     > > <srinivasa.r at icts.res.in>:
>     > >
>     > > > I have installed FreeRADIUS server (Version 3.0.4) on Cent 7 OS
> and
>     > > > configured the external authentication with 389-DS server using
>     > > > rlm_ldap module. I would like to authenticate the mac address of
> all
>     > > > the user which I have stored in LDAP. The macaddress field in
> LDAP is
>     > > > a multi value attribute and the Freeraiud is communicating with
> LDAP
>     > > > without any issues, but the freeradius is authenticating only the
>     > > > first macaddress value from LDAP's multi value field.
>     > > >
>     > > > I would like to configure the Freeradius to authenticate all the
>     > > > values from multi value filed. Someone suggested that we can
>     > > > configure this using rlm_python or rlm_perl module. I am not a
> coder
>     > > > and I am not able to find any step by guide to configure the
> same.
>     > > > Could someone guide me on how to configure the Freeradius to
>     > > > authenticate Multi-valued LDAP attribute?
>     > >
>     > > I used unlang features to implement sth. like this. I think you can
>     > > adapt it to your use case.
>     > >
>     > >
>     > > In the LDAP module I have sth like
>     > >
>     > > update {
>     > >   request:gwdg-user-services += 'userServices'
>     > > }
>     > >
>     > > where userServices is multi-valued and sometimes included
>     > > 'eduroamNotAllowed'
>     > >
>     > >
>     > > In the site I check against all occurrences:
>     > >
>     > > if ( &gwdg-user-services[*] !~ /eduroamNotAllowed/ ) {
>     > > ...
>     > > }
>     > >
>     > >
>     > > lg
>     > > /Steffen
>     > >
>     > > --
>     > > Steffen Klemer                     E-Mail: Steffen.Klemer at gwdg.de
>     > >                                    Tel:    +49 551 201 2170
>     > >
>     > > ------------------------------------------------------------------
>     > > GWDG - Gesellschaft für wissenschaftliche
>     > > Datenverarbeitung mbH Göttingen
>     > > Am Faßberg 11, 37077 Göttingen
>     > >
>     > > Service-Hotline:
>     > > Tel:    +49 551 201-1523
>     > > E-Mail: support at gwdg.de
>     > >
>     > > Kontakt:
>     > > Tel:    0551 201-1510
>     > > Fax:    0551 201-2150
>     > > E-Mail: gwdg at gwdg.de
>     > > WWW:    https://www.gwdg.de
>     > > ------------------------------------------------------------------
>     > > Geschäftsführer:           Prof. Dr. Ramin Yahyapour
>     > > Aufsichtsratsvorsitzender: Prof. Dr. Christian Griesinger
>     > > Sitz der Gesellschaft:     Göttingen
>     > > Registergericht: Göttingen, Handelsregister-Nr. B 598
>     > > ------------------------------------------------------------------
>     > > Zertifiziert nach ISO 9001
>     > > ------------------------------------------------------------------
>     > >
>     > > -
>     > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>     > > list/users.html
>     > >
>     > -
>     > List info/subscribe/unsubscribe? See http://www.freeradius.org/
>     > list/users.html
>     >
>
>
>     Regards,
>     --
>
>     Srinivas R
>     -
>     List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> Information in this email including any attachments may be privileged,
> confidential and is intended exclusively for the addressee. The views
> expressed may not be official policy, but the personal views of the
> originator. If you have received it in error, please notify the sender by
> return e-mail and delete it from your system. You should not reproduce,
> distribute, store, retransmit, use or disclose its contents to anyone.
> Please note we reserve the right to monitor all e-mail communication
> through our internal and external networks. SKY and the SKY marks are
> trademarks of Sky plc and Sky International AG and are used under licence.
>
> Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited
> (Registration No. 2067075) and Sky Subscribers Services Limited
> (Registration No. 2340150) are direct or indirect subsidiaries of Sky plc
> (Registration No. 2247735). All of the companies mentioned in this
> paragraph are incorporated in England and Wales and share the same
> registered office at Grant Way, Isleworth, Middlesex TW7 5QD.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>



-- 

Srinivas R
Scientific Officer 'C'
International Centre for Theoretical Sciences (ICTS)
Survey No. 151, Shivakote, Hesaraghatta Hobli,
Bengaluru North - 560 089, India.
Office: 080 - 6730/4653-6305 | Mob: +91 9886280088
Email: srinivasa.r at icts.res.in
Website: www.icts.res.in

More information about the Freeradius-Users mailing list