VLan affect based on ldap attribute freeradius v3
jehan procaccia int
jehan.procaccia at int-evry.fr
Thu Aug 30 22:55:08 CEST 2018
My reponses below
Le 30/08/2018 à 19:32, Matthew Newton a écrit :
> On Thu, 2018-08-30 at 19:06 +0200, jehan procaccia INT wrote:
>> 2) running radiusd -X I do see the ldap query and attribute returned
>> correclty
>>
>> rlm_ldap (prod): Reserved connection (3)
>> (41) prod: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
>> (41) prod: --> (uid=teststud)
>>
>> ...
>>
>> (41) prod: Processing user attributes
>> (41) prod: control:Password-With-Header += '{CRYPT}secretaoSOObH1'
>> (41) prod: control:NT-Password += secret3735323731
>> (41) prod: reply:Reply-Message := 'faculty'
>> (41) prod: reply:*User-Category += 'faculty'*
>> rlm_ldap (prod): Released connection (3)
>> (41) [prod] = updated
> OK
>
>> * if (*( reply:UserCategory == "employee") ||
>> (reply:*UserCategory == "faculty"*) || (reply:UserCategory == "staff"
>> )
>>>> (reply:UserCategory == "researcher") || (reply:UserCategory ==
>> "member")) {
>> update reply {
>> Tunnel-Private-Group-Id :=*903*
>> }
> Use &reply:User-Category, etc
I did that , but still fails with now the error :
(30) if (( &reply:User-Category == "employee") ||
(&reply:User-Category == "faculty") || (&reply:User-Category == "staff"
) || (&reply:User-Category == "researcher") || (&reply:User-Category ==
"member")) {
(30) *ERROR: Failed retrieving values required to evaluate condition*
(30) elsif ( (&reply:User-Category == "student" ) ||
(&reply:User-Category == "affiliate") ) {
(30) ERROR: Failed retrieving values required to evaluate condition
(30) else {
(30) update reply {
(30) Tunnel-Private-Group-Id := 902
then it is still not clear wether my attribute is named User-Category or
UserCategory (without "-") !?
and what's the difference between reply and &reply ?
from
https://wiki.freeradius.org/config/run_time_variables#attributes-as-environment-variables-in-executed-programs
I see that "-" should be replaced by "_" , but that's for shell rlm_exec
not rlm_ldap ?
now if I set in vlanaffect.conf
if (( *&*reply:UserCategory == "employee") || (*&reply:UserCategory*
== "faculty") || (*&*reply:UserCategory == "staff" ) ||
(*&*reply:UserCategory == "researcher") || (*&*reply:UserCategory ==
"member")) {
update reply {
Tunnel-Private-Group-Id := 903
radiusd -X fails on :
/} # server default//
///etc/raddb/sites-enabled/../vlanaffect.conf[3]: Unknown attribute
'UserCategory'/
in mods-available/ldap I have the following mapping
ldap prod {
update {
reply:User-Category += 'eduPersonPrimaryAffiliation'
should (can ?) I rename :User-Category to :UserCategory here ?
>
>
>> is there a way to print the value of the an attribute to check it's
>> *name* and*value* ?
> debug_reply
where do you set that ? I do see in policy.d/debug
debug_reply {
if("%{debug_attr:reply:}" == '') {
noop
}
does it mean it is set alredy ?
>
> If it's not there... is this the same RADIUS packet? e.g. you set
> User-Category in one packet, and then checking it again in the next packet. If so, use the session-state: list instead of reply:.
I use eduroam with peap mschapv2 (inner-tunnel) , maybe different radius
packets are involved, it would be in my vlanaffec script that I would
change reply with session-state ?
thanks .
>
>> I am confused by the attribute name itself, you might have noticed in
>> my
>> vlanaffect.conf I use UserCategory but in ldap module it is named
>> User*-*Category (note the - between User and Category) ! It is so
>> because if in vlanaffect.conf I name it occordingly to ldap module
>> (User*-*Category) strangely I get Errors in runing radiusd -X :
> If you use different names for the attribute then it's not going to
> work...
>
> Try with the & before the attribute name.
>
More information about the Freeradius-Users
mailing list