LDAP and RFC2868 tagged attributes for Tunnel

Alan DeKok aland at deployingradius.com
Mon Feb 24 20:50:56 UTC 2025 

On Feb 24, 2025, at 12:09 PM, Ron Grant <ron at balansoft.com> wrote:
> I would like to know if anyone has encountered (and solved!) this before.
> 
> I am trying to use LDAP Tunnel attributes to establish PPP over L2TP tunnels from a provider's LAC to our LNS.
> 
> This has been working for many years now using freeradius 2.2.6 using the following syntax in /etc/raddb/ldap.attrmap:

  Oh boy...

> However when upgrading these servers to a modern distro (ubuntu 24.04), and to freeradius 3.2.5, and adding the following lines to the "update" section of the ldap module:
> ...
> I get the following reply:
> 
>     Tunnel-Server-Endpoint:0 = ":0:AA.BB.20.106"
>     Tunnel-Server-Endpoint:0 = ":1:AA.BB.20.114"
>     Tunnel-Server-Endpoint:0 = ":2:CC.DD.80.26"

  Yes.  Unfortunately we had to change how the tags were being managed in v3.  Parsing the tags from the values caused problems.  So the tags were moved to be associated with the attribute name.  That makes sense, as that's how the tags are printed.

  It looks like this was a situation which was missed.

> which is obviously not right - it does not seem to be recognizing the attributes as ones that need to have a tag pulled out - though curiously it does remove the colons.

  ?  I still see the colons in the values you posted.

> Debug follows, but obviously what I am trying to do is tell freeradius 3.2.5 that these attributes "has_tag".....it obviously knows they SHOULD have a tag but it's not picking them up.

  Sure.

  I've pushed some changes to the v3.2.x branch which should help.  They're "compile tested", so it might not be perfect.  But you should now be able to update the LDAP mapping to:

        reply:Tunnel-Type:V        += 'radiusTunnelType'
        reply:Tunnel-Medium-Type:V    += 'radiusTunnelMediumType'
        reply:Tunnel-Server-Endpoint:V    += 'radiusTunnelServerEndpoint'
        reply:Tunnel-Password:V        += 'radiusTunnelPassword'
        reply:Tunnel-Preference:V        += 'radiusTunnelPreference'

  and the tag will be parsed from the value.

  This won't work if the data in LDAP is double-quoted strings, e.e.g

	radiustunnelserverendpoint: ":0:AA.BB.20.106"

  But it will work for simple strings without quotes:

	radiustunnelserverendpoint: :0:AA.BB.20.106

  Please test it and tell me whether or not it works.

  Alan DeKok.

More information about the Freeradius-Users mailing list