Ldap Huntgroup 'Reject' issue

Kaya Saman kayasaman at optiplex-networks.com
Thu Nov 26 05:20:17 CET 2020

Many thanks Alan for the great guidance! :-)

I'm starting to understand a lot more now though there is still quite a 
lot of work to do.

As per your instructions I created an Attribute in the dictionary file 
called 'Ldap-Locality'. I swapped all the cases of 'Huntgroup-Name' out 
and replaced them with 'Ldap-Locality'. Everything worked fine though 
the initial issue persists.

Currently I am converting the authorize file entries to unlang. I have a 
few quick questions:

1. Do I need to add the unlang checks to both 'default' and 
'inner-tunnel' files?

2. Will FR see more then 1 value in the LocalityName field on the ldap 
server once the NAS entry is matched in the ldap path?

3. Currently I have added this snippet as a test in 'default':

authorize {

         update request {
                 Ldap-Locality =...

                 Ldap-Locality +=...
         if (Ldap-Locality == "<LocalityName_string>") {
                 if (Ldap-Group == "<group path>") {
                         update reply {
                                 NAS-Port-Type = "Wireless-802.11",
                                 Airespace-QOS-Level = 3

Is the 'update reply' portion correct as I am not seeing the 
Airespace-QOS-Level in the rad response from radiusd -X output?



On 2020-11-25 22:04, Alan DeKok wrote:
> On Nov 25, 2020, at 4:45 PM, Kaya Saman via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> By 'l' value I meant the LocalityName attribute in ldap - for reference: http://www-public.imtbs-tsp.eu/~gardie/LDAP/Classes/Attributes-L.html
>    Ok... that was not clear at all from your message.
>> By doing:
>> authorize {
>>          update request {
>>                  Huntgroup-Name ="%{ldap:ldap:///<ldap path>?l?sub?cn=%{Packet-Src-IP-Address}}"
>> The Huntgroup-Name should equal the ?l? portion within the ldap path given before the Auth := Accept/Reject decision is made.
>    Except that Huntgroup-Name already has a meaning.  It performance checks in the "huntgroup" file.
>> I think this is where I am getting myself confused a little and probably finding it difficult to explain in addition??
>    You want to do a lot, so break it down into little pieces.
>> In short I want to test the Huntgroup-Name against the ldap LocaliltyName attribute which should match. If they don't then send the Auth := Reject.
>    No, you don't want to do that.  You want to check ANOTHER attribute against the LDAP LocaliltyName.
>    Please do what I said.  DON'T use Huntgroup-Name.  DO edit raddb/dictionary, and add your own attribute.  Perhaps "My-Huntgroup-Name".
>> I'm not sure if there are any examples of this to help me understand better how things work and how they should be implemented?
>    I gave fairly clear instructions:
>>>    I'd also say to start with a simple example.  Add a local attribute in raddb/dictionary, and use that.  Maybe even move the "users" file checks to "unlang".
>    Break the problem down into pieces.  If the "authorize" file seems confusing, use basic "unlang" statements.  The debug output for "unlang" is very long and descriptive.  It will tell you exactly what it's doing, and why.
>    In contrast, the debug for the "authorize" file only shows what matches.  It doesn't show why entries *don't* match.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list