LDAP and RFC2868 tagged attributes for Tunnel

Ron Grant ron at balansoft.com
Mon Feb 24 21:07:06 UTC 2025 

I was partially afraid of this - and partially hoping for it - i.e. "I'm 
not crazy". :-)

Yes, the colons were still in there- that was a misspeak on my part in 
the original post. I corrected in the next reply, but indeed the data 
remained intact.

Should I try the .V syntax first, or do I have to download first? I 
suspect it'd take a while to get to Ubuntu.....



On 2025-02-24 12:50 p.m., Alan DeKok wrote:
> On Feb 24, 2025, at 12:09 PM, Ron Grant <ron at balansoft.com> wrote:
>> I would like to know if anyone has encountered (and solved!) this before.
>>
>> I am trying to use LDAP Tunnel attributes to establish PPP over L2TP tunnels from a provider's LAC to our LNS.
>>
>> This has been working for many years now using freeradius 2.2.6 using the following syntax in /etc/raddb/ldap.attrmap:
>    Oh boy...
>
>> However when upgrading these servers to a modern distro (ubuntu 24.04), and to freeradius 3.2.5, and adding the following lines to the "update" section of the ldap module:
>> ...
>> I get the following reply:
>>
>>      Tunnel-Server-Endpoint:0 = ":0:AA.BB.20.106"
>>      Tunnel-Server-Endpoint:0 = ":1:AA.BB.20.114"
>>      Tunnel-Server-Endpoint:0 = ":2:CC.DD.80.26"
>    Yes.  Unfortunately we had to change how the tags were being managed in v3.  Parsing the tags from the values caused problems.  So the tags were moved to be associated with the attribute name.  That makes sense, as that's how the tags are printed.
>
>    It looks like this was a situation which was missed.
>
>> which is obviously not right - it does not seem to be recognizing the attributes as ones that need to have a tag pulled out - though curiously it does remove the colons.
>    ?  I still see the colons in the values you posted.
>
>> Debug follows, but obviously what I am trying to do is tell freeradius 3.2.5 that these attributes "has_tag".....it obviously knows they SHOULD have a tag but it's not picking them up.
>    Sure.
>
>    I've pushed some changes to the v3.2.x branch which should help.  They're "compile tested", so it might not be perfect.  But you should now be able to update the LDAP mapping to:
>
>          reply:Tunnel-Type:V        += 'radiusTunnelType'
>          reply:Tunnel-Medium-Type:V    += 'radiusTunnelMediumType'
>          reply:Tunnel-Server-Endpoint:V    += 'radiusTunnelServerEndpoint'
>          reply:Tunnel-Password:V        += 'radiusTunnelPassword'
>          reply:Tunnel-Preference:V        += 'radiusTunnelPreference'
>
>    and the tag will be parsed from the value.
>
>    This won't work if the data in LDAP is double-quoted strings, e.e.g
>
> 	radiustunnelserverendpoint: ":0:AA.BB.20.106"
>
>    But it will work for simple strings without quotes:
>
> 	radiustunnelserverendpoint: :0:AA.BB.20.106
>
>    Please test it and tell me whether or not it works.
>
>    Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Ron Grant
Balan Software/Networks
Network Architecture & Programming
604-737-2113

ca.linkedin.com/in/obiron

More information about the Freeradius-Users mailing list