ldap xlat syntax
Christopher Nighswonger
chris.nighswonger at gmail.com
Sat Apr 27 00:56:06 UTC 2024
Thanks for your help Alan. It got me off of high-center.
On Fri, Apr 26, 2024 at 4:21 PM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Apr 26, 2024, at 3:42 PM, Christopher Nighswonger <chris.nighswonger at gmail.com> wrote:
> > (12) update reply {
> > (12) ERROR: Parsing LDAP URL failed
> > (12) EXPAND AD-Group:
> > %{ldap:ldap:///cn=Users,dc=foo,dc=bar,dc=com?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))?sAMAccountName}
> > (12) --> AD-Group:
> > (12) Reply-Message += AD-Group:
>
> FreeRADIUS is just calling the OpenLDAP APIs to parse that URL. So if it fails, it's because OpenLDAP doesn't like the URL.
>
> Looking at it closely, you have 3 "/", not 2.
>
So as a result of your suggestion below to use ldapurl to help, I
ended up reading RFC 4516 (I usually don't do things like that on
Friday evening. ;-)
The triple slash is supposed to allow the client to select the LDAP
server of its choice. [1] That said, I ended up using
ldap://localhost/ since my Freeradius is on the same box as my Samba
AD DC and it cut out a potential ambiguity.
> > Questions:
> > 3. Is there a way to test/debug ldap xlat expressions which is more
> > efficient/simple than embedding them in the config and testing?
>
> Use ldapsearch and/ldapurl from OpenLDAP.
The pointer to ldapurl was probably the most helpful part of all. I
owe you a coffee.
Here is what I actually ended up with which works very nicely:
if ("%{ldap:ldap://localhost/cn=Users,dc=foo,dc=bar,dc=com?sAMAccountName?sub?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com)(sAMAccountName=%{reply:User-Name}))}"
== "%{reply:User-Name}") {
update reply {
Reply-Message += "Group: staff",
## Do more foo here. ##
}
}
Thanks again for your help.
Chris
[1] https://datatracker.ietf.org/doc/html/rfc4516#section-4
More information about the Freeradius-Users
mailing list