Check LDAP if object exist with filter based on user's certificate attributest after EAP-TLS auth succeeds?

Alexey D. Filimonov alexey at filimonic.net
Mon Nov 4 13:34:57 UTC 2024 

Thank you, Alan!

But where I can take any information about xlat-ing ldap ? I found only 
single example in `dynamic-clients`.

On 2024-11-04 12:02, Alan DeKok wrote:
> On Nov 3, 2024, at 11:55 PM, Alexey D. Filimonov <alexey at filimonic.net> wrote:
>> In short, I have EAP-TLS auth, and I need to check if there is an LDAP object that has value of `TLS-Client-Cert-Subject-Alt-Name-Upn` in `krbCanonicalName` attribute and it's `createTimestamp` is less or equal than `TLS-Client-Cert-Valid-Since` value.
>>
>> 1. I found that `TLS-Client-Cert-Subject-Alt-Name-Upn` attribute is created only inside `authenticate { Auth-Type eap { ... }}` section.
>>
>> Is it correct that I have no access to certificate properties inside `authorize` section?
>    To be clear:  The EAP module creates the TLS attributes when it's run in the "authenticate" section.
>
>    As a result, policies based on TLS attributes should be placed after the EAP module runs in the "authenticate" section.
>
>> 2. Next, I found that according to [rlm_ldap guide from networkradius](https://www.networkradius.com/doc/current/raddb/mods-available/ldap.html), ldap module can `look for user` only inside `authorize` section, but not inside `authenticate`.
>>
>> Is it correct I can not make a check for existence of an object in LDAP from `authenticate` section using `rlm_ldap` module, and only xlat-ing can be used?
>    You can run the "authorize" method of the LDAP module at any time. Just reference it as "ldap.authorize".  e.g.
>
> 	Auth-Type eap {
> 			eap
> 			ldap.authorize
> 	}
>
>> 3. I found that there are some xlat functions exposed by `rlm_ldap` module, but they are only mentioned in my `mods-available/ldap`, and not documented in `3.2.x` branch on github.
>> I vave FreeRADIUS version from debian-stable and it is `3.2.1`.
>>
>> Is raddb/mods-available/ldap from master branch is useful as documentation for 3.2.1 ldap?
>    No.
>
>    Many things changed from v3 to v4, and you cannot use the v4 documentation for v3.
>
>    Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list