I want to branch an ldap attribute
西村暢敦 / NISHIMURA,NOBUATSU
nobuatsu.nishimura.dg at ps.hitachi-solutions.com
Mon Jul 22 11:02:53 CEST 2019
Thanks Alan for the quick response!
The configuration has been corrected.
authorize {
...
if (specific AP) {
update reply {
Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users,dc=edu,dc=kkc,dc=imc,dc=com?uid?sub?uid=%u(radiusTunnelPrivateGroupId)}
}
}
It will be an error. Do you understand the cause?
Please tell me the solution.
Below is my debug output
Mon Jul 22 14:07:39 2019 : Debug: radiusd: #### Loading Virtual Servers ####
Mon Jul 22 14:07:39 2019 : Debug: server { # from file /etc/raddb/radiusd.conf
Mon Jul 22 14:07:39 2019 : Debug: } # server
Mon Jul 22 14:07:39 2019 : Debug: server default { # from file /etc/raddb/sites-enabled/default
Mon Jul 22 14:07:39 2019 : Debug: authenticate {
Mon Jul 22 14:07:39 2019 : Debug: group {
Mon Jul 22 14:07:39 2019 : Debug: mschap
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: mschap
Mon Jul 22 14:07:39 2019 : Debug: group {
Mon Jul 22 14:07:39 2019 : Debug: if (&Realm == "edu.com" || &Realm == "edu.imc.com" || &Realm == "kkc.com") {
Mon Jul 22 14:07:39 2019 : Debug: ldap_generalusers
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: elsif (&Realm == "NULL") {
Mon Jul 22 14:07:39 2019 : Debug: if (&NAS-IP-Address == 10.254.x.xxx && &Framed-IP-Address =~ /^10\.241(\.[0-9]{1,3}){2}$/) {
Mon Jul 22 14:07:39 2019 : Debug: ldap_outside
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: else {
Mon Jul 22 14:07:39 2019 : Debug: ldap_allstudent
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: eap
Mon Jul 22 14:07:39 2019 : Debug: } # authenticate
Mon Jul 22 14:07:39 2019 : Debug: authorize {
Mon Jul 22 14:07:39 2019 : Debug: policy rewrite_called_station_id {
Mon Jul 22 14:07:39 2019 : Debug: if (&Called-Station-Id && &Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/) {
Mon Jul 22 14:07:39 2019 : Debug: update {
Mon Jul 22 14:07:39 2019 : Debug: &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: if ("%{8}") {
Mon Jul 22 14:07:39 2019 : Debug: update {
Mon Jul 22 14:07:39 2019 : Debug: &Called-Station-SSID := "%{8}"
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: updated
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: else {
Mon Jul 22 14:07:39 2019 : Debug: noop
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: preprocess
Mon Jul 22 14:07:39 2019 : Debug: mschap
Mon Jul 22 14:07:39 2019 : Debug: digest
Mon Jul 22 14:07:39 2019 : Debug: suffix
Mon Jul 22 14:07:39 2019 : Debug: eap
Mon Jul 22 14:07:39 2019 : Debug: if {
Mon Jul 22 14:07:39 2019 : Debug: ldap_allstudents
Mon Jul 22 14:07:39 2019 : Debug: update {
Mon Jul 22 14:07:39 2019 : Debug: &control:Auth-Type := LDAP
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: update {
Mon Jul 22 14:07:39 2019 : Debug: &reply:Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users
Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = edu
Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = kkc
Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = imc
Mon Jul 22 14:07:39 2019 : Debug: &reply:dc =
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: expiration
Mon Jul 22 14:07:39 2019 : Debug: logintime
Mon Jul 22 14:07:39 2019 : Debug: } # authorize
Mon Jul 22 14:07:39 2019 : Debug: preacct {
Mon Jul 22 14:07:39 2019 : Debug: preprocess
.....
Mon Jul 22 14:07:39 2019 : Debug: if (&outer.request:Called-Station-SSID == 'authtest') {
Mon Jul 22 14:07:39 2019 : Debug: update {
Mon Jul 22 14:07:39 2019 : Debug: &control:Auth-Type := LDAP
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: update {
Mon Jul 22 14:07:39 2019 : Debug: &reply:Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users
Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = edu
Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = kkc
Mon Jul 22 14:07:39 2019 : Debug: &reply:dc = imc
Mon Jul 22 14:07:39 2019 : Debug: &reply:dc =
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: updated
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Debug: }
Mon Jul 22 14:07:39 2019 : Error: /etc/raddb/sites-enabled/default[463]: Unknown attribute 'dc'
Regards
n.n
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+nobuatsu.nishimura.dg=ps.hitachi-solutions.com at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Friday, July 19, 2019 7:57 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: [!]Re: I want to branch an ldap attribute
On Jul 18, 2019, at 10:33 PM, 西村暢敦 / NISHIMURA,NOBUATSU <nobuatsu.nishimura.dg at ps.hitachi-solutions.com> wrote:.
>
>
> I want to get vlanId (radiusTunnelPrivateGroupId) of the user I want to authenticate.
> Ldap query How should I write?
See LDAP documentation for how to write LDAP queries.
Then, paste the query into the FreeRADIUS configuration.
>> You can do dynamic LDAP queries:
>>
>> authorize {
>> ...
>> if (specific AP) {
>> update reply {
>> Tunnel-Private-Group-Id := "{ldap:ldap:///ou=Users,dc=edu,dc=com,uid?sub?radiusTunnelPrivateGroupId?}"
That isn't correct. The expansion uses %{...}.
>> }
>> }
> → Failed parsing expanded string
Post the debug output. There is just *no* reason for failing to do this.
> Is there a description method?
There's lots of documentation for both FreeRADIUS and for LDAP.
> Can I get vlan registered in ldap with any uid?
That's a question for LDAP, not FreeRADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See https://clicktime.symantec.com/3Jn9zUmALWM37pVmvREZ6F97Vc?u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html
More information about the Freeradius-Users
mailing list