I want to branch an ldap attribute

西村暢敦 / NISHIMURA,NOBUATSU nobuatsu.nishimura.dg at ps.hitachi-solutions.com
Mon Jul 22 11:02:53 CEST 2019


Thanks Alan for the quick response!


The configuration has been corrected.


authorize {
	...
	if (specific AP) {
		update reply {
			Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users,dc=edu,dc=kkc,dc=imc,dc=com?uid?sub?uid=%u(radiusTunnelPrivateGroupId)}
		}
	}

It will be an error. Do you understand the cause?
Please tell me the solution.



Below is my debug output


Mon Jul 22 14:07:39 2019 : Debug: radiusd: #### Loading Virtual Servers ####
Mon Jul 22 14:07:39 2019 : Debug: server { # from file /etc/raddb/radiusd.conf
Mon Jul 22 14:07:39 2019 : Debug: } # server
Mon Jul 22 14:07:39 2019 : Debug: server default { # from file /etc/raddb/sites-enabled/default
Mon Jul 22 14:07:39 2019 : Debug:  authenticate {
Mon Jul 22 14:07:39 2019 : Debug:   group {
Mon Jul 22 14:07:39 2019 : Debug:    mschap
Mon Jul 22 14:07:39 2019 : Debug:   }
Mon Jul 22 14:07:39 2019 : Debug:   mschap
Mon Jul 22 14:07:39 2019 : Debug:   group {
Mon Jul 22 14:07:39 2019 : Debug:    if (&Realm == "edu.com" || &Realm == "edu.imc.com" || &Realm == "kkc.com") {
Mon Jul 22 14:07:39 2019 : Debug:     ldap_generalusers
Mon Jul 22 14:07:39 2019 : Debug:    }
Mon Jul 22 14:07:39 2019 : Debug:    elsif (&Realm == "NULL") {
Mon Jul 22 14:07:39 2019 : Debug:     if (&NAS-IP-Address == 10.254.x.xxx && &Framed-IP-Address =~ /^10\.241(\.[0-9]{1,3}){2}$/) {
Mon Jul 22 14:07:39 2019 : Debug:      ldap_outside
Mon Jul 22 14:07:39 2019 : Debug:     }
Mon Jul 22 14:07:39 2019 : Debug:     else {
Mon Jul 22 14:07:39 2019 : Debug:      ldap_allstudent
Mon Jul 22 14:07:39 2019 : Debug:     }
Mon Jul 22 14:07:39 2019 : Debug:    }
Mon Jul 22 14:07:39 2019 : Debug:   }
Mon Jul 22 14:07:39 2019 : Debug:   eap
Mon Jul 22 14:07:39 2019 : Debug:  } # authenticate
Mon Jul 22 14:07:39 2019 : Debug:  authorize {
Mon Jul 22 14:07:39 2019 : Debug:   policy rewrite_called_station_id {
Mon Jul 22 14:07:39 2019 : Debug:    if (&Called-Station-Id && &Called-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})([^0-9a-f](.+))?$/) {
Mon Jul 22 14:07:39 2019 : Debug:     update {
Mon Jul 22 14:07:39 2019 : Debug:      &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}"
Mon Jul 22 14:07:39 2019 : Debug:     }
Mon Jul 22 14:07:39 2019 : Debug:     if ("%{8}") {
Mon Jul 22 14:07:39 2019 : Debug:      update {
Mon Jul 22 14:07:39 2019 : Debug:       &Called-Station-SSID := "%{8}"
Mon Jul 22 14:07:39 2019 : Debug:      }
Mon Jul 22 14:07:39 2019 : Debug:     }
Mon Jul 22 14:07:39 2019 : Debug:     updated
Mon Jul 22 14:07:39 2019 : Debug:    }
Mon Jul 22 14:07:39 2019 : Debug:    else {
Mon Jul 22 14:07:39 2019 : Debug:     noop
Mon Jul 22 14:07:39 2019 : Debug:    }
Mon Jul 22 14:07:39 2019 : Debug:   }
Mon Jul 22 14:07:39 2019 : Debug:   preprocess
Mon Jul 22 14:07:39 2019 : Debug:   mschap
Mon Jul 22 14:07:39 2019 : Debug:   digest
Mon Jul 22 14:07:39 2019 : Debug:   suffix
Mon Jul 22 14:07:39 2019 : Debug:   eap
Mon Jul 22 14:07:39 2019 : Debug:     if {
Mon Jul 22 14:07:39 2019 : Debug:      ldap_allstudents
Mon Jul 22 14:07:39 2019 : Debug:      update {
Mon Jul 22 14:07:39 2019 : Debug:       &control:Auth-Type := LDAP
Mon Jul 22 14:07:39 2019 : Debug:      }
Mon Jul 22 14:07:39 2019 : Debug:      update {
Mon Jul 22 14:07:39 2019 : Debug:       &reply:Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users
Mon Jul 22 14:07:39 2019 : Debug:       &reply:dc = edu
Mon Jul 22 14:07:39 2019 : Debug:       &reply:dc = kkc
Mon Jul 22 14:07:39 2019 : Debug:       &reply:dc = imc
Mon Jul 22 14:07:39 2019 : Debug:       &reply:dc = 
Mon Jul 22 14:07:39 2019 : Debug:      }
Mon Jul 22 14:07:39 2019 : Debug:     }
Mon Jul 22 14:07:39 2019 : Debug:    }
Mon Jul 22 14:07:39 2019 : Debug:   }
Mon Jul 22 14:07:39 2019 : Debug:   expiration
Mon Jul 22 14:07:39 2019 : Debug:   logintime
Mon Jul 22 14:07:39 2019 : Debug:  } # authorize
Mon Jul 22 14:07:39 2019 : Debug:  preacct {
Mon Jul 22 14:07:39 2019 : Debug:   preprocess

.....


Mon Jul 22 14:07:39 2019 : Debug:      if (&outer.request:Called-Station-SSID == 'authtest') {
Mon Jul 22 14:07:39 2019 : Debug:       update {
Mon Jul 22 14:07:39 2019 : Debug:        &control:Auth-Type := LDAP
Mon Jul 22 14:07:39 2019 : Debug:       }
Mon Jul 22 14:07:39 2019 : Debug:       update {
Mon Jul 22 14:07:39 2019 : Debug:        &reply:Tunnel-Private-Group-Id := %{ldap:ldap:///ou=Users
Mon Jul 22 14:07:39 2019 : Debug:        &reply:dc = edu
Mon Jul 22 14:07:39 2019 : Debug:        &reply:dc = kkc
Mon Jul 22 14:07:39 2019 : Debug:        &reply:dc = imc
Mon Jul 22 14:07:39 2019 : Debug:        &reply:dc = 
Mon Jul 22 14:07:39 2019 : Debug:       }
Mon Jul 22 14:07:39 2019 : Debug:      }
Mon Jul 22 14:07:39 2019 : Debug:      updated
Mon Jul 22 14:07:39 2019 : Debug:     }
Mon Jul 22 14:07:39 2019 : Debug:    }

Mon Jul 22 14:07:39 2019 : Error: /etc/raddb/sites-enabled/default[463]: Unknown attribute 'dc'

Regards
n.n



-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+nobuatsu.nishimura.dg=ps.hitachi-solutions.com at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Friday, July 19, 2019 7:57 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: [!]Re: I want to branch an ldap attribute

On Jul 18, 2019, at 10:33 PM, 西村暢敦 / NISHIMURA,NOBUATSU <nobuatsu.nishimura.dg at ps.hitachi-solutions.com> wrote:.
> 
> 
> I want to get vlanId (radiusTunnelPrivateGroupId) of the user I want to authenticate.
> Ldap query How should I write?

  See LDAP documentation for how to write LDAP queries.

  Then, paste the query into the FreeRADIUS configuration.

>> You can do dynamic LDAP queries:
>> 
>> authorize {
>> 	...
>> 	if (specific AP) {
>> 		update reply {
>> 			Tunnel-Private-Group-Id := "{ldap:ldap:///ou=Users,dc=edu,dc=com,uid?sub?radiusTunnelPrivateGroupId?}"

  That isn't correct.  The expansion uses %{...}.

>> 		}
>> 	}
> → Failed parsing expanded string

  Post the debug output.  There is just *no* reason for failing to do this.

> Is there a description method?

  There's lots of documentation for both FreeRADIUS and for LDAP.  

> Can I get vlan registered in ldap with any uid?

  That's a question for LDAP, not FreeRADIUS.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See https://clicktime.symantec.com/3Jn9zUmALWM37pVmvREZ6F97Vc?u=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html



More information about the Freeradius-Users mailing list