What happens if you do this.
Add the following to ldap.attrmap
checkItem Pool-Name supannaffectation
Then remove all those users file entries with Ldap-Group, so it just does
an LDAP lookup, not specifically matching on groups.
This should pool the supannafecction attribute from ldap and make that the
Pool-Name check item, which should then fire ippool.
-Dusty Doris
On Thu, 18 Nov 2004, LALOT Dominique wrote:
> Thanks for all, because it's starting to work.
>
> But: I noticed that I call ldap for each group before founding the right
> one. An for me the group name is just an ldap attr to read.
> Then when finding the group, for the IP pool, I have to read all the
> pools even when it return ok.
>
> Hopefully, I have less than 10 groupes!. groupmembership is
> supannaffectation.
>
> Is there something else to do?.
>
> Thanks
>
> dom
>
> users:
> DEFAULT Ldap-Group == IUT, Pool-Name := "IUT_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
> DEFAULT Ldap-Group == Medecine, Pool-Name := "Medecine_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
> DEFAULT Ldap-Group == ESIL, Pool-Name := "Esil_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
> DEFAULT Ldap-Group == Pharo, Pool-Name := "Pharo_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
> DEFAULT Ldap-Group == Sciences, Pool-Name := "Sciences_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
> DEFAULT Ldap-Group == Pharmacie, Pool-Name := "Pharmacie_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
> DEFAULT Ldap-Group == OSU, Pool-Name := "OSU_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
> DEFAULT Ldap-Group == IM2, Pool-Name := "IM2_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
> DEFAULT Ldap-Group == STAPS, Pool-Name := "STAPS_pool"
> Service-Type == Framed-User,
> Fall-Through = no
>
>
>
> rlm_ldap: user fred authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 2
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr'
> radius_xlat: '(uid=fred)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
> filter (&(supannaffectation=ScEco)(uid=fred))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
> with filter (objectclass=*)
> rlm_ldap::groupcmp: Group ScEco not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr'
> radius_xlat: '(uid=fred)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
> filter (&(supannaffectation=IUT)(uid=fred))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
> with filter (objectclass=*)
> rlm_ldap::groupcmp: Group IUT not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr'
> radius_xlat: '(uid=fred)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
> filter (&(supannaffectation=Medecine)(uid=fred))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
> with filter (objectclass=*)
> rlm_ldap::groupcmp: Group Medecine not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr'
> radius_xlat: '(uid=fred)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
> filter (&(supannaffectation=ESIL)(uid=fred))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
> with filter (objectclass=*)
> rlm_ldap::groupcmp: Group ESIL not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=people,ou=u2,dc=univ,dc=fr'
> radius_xlat: '(uid=fred)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
> filter (&(supannaffectation=Pharo)(uid=fred))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
> with filter (objectclass=*)
> rlm_ldap::groupcmp: Group Pharo not found ????or user not a member
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'ou=people,ou=u2,dc=univ,dc=fr'
> radius_xlat: '(uid=fred)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
> filter (&(supannaffectation=Sciences)(uid=fred))
> rlm_ldap::ldap_groupcmp: User found in group Sciences
> rlm_ldap: ldap_release_conn: Release Id: 0
>
>
> modcall: entering group post-auth for request 2
> modcall[post-auth]: module "ScEco_pool" returns noop for request 2
> modcall[post-auth]: module "IUT_pool" returns noop for request 2
> modcall[post-auth]: module "Medecine_pool" returns noop for request 2
> modcall[post-auth]: module "Esil_pool" returns noop for request 2
> modcall[post-auth]: module "Pharo_pool" returns noop for request 2
> rlm_ippool: Searching for an entry for nas/port: 255.255.255.255/1813
> rlm_ippool: Found a stale entry for ip/port: 139.124.210.71/1813
> rlm_ippool: num: 0
> rlm_ippool: Searching for an entry for nas/port: 255.255.255.255/1813
> rlm_ippool: Allocating ip to nas/port: 255.255.255.255/1813
> rlm_ippool: num: 1
> rlm_ippool: Allocated ip 139.124.210.55 to client on nas
> 255.255.255.255,port 1813
> modcall[post-auth]: module "Sciences_pool" returns ok for request 2
> modcall[post-auth]: module "Pharmacie_pool" returns noop for request 2
> modcall[post-auth]: module "OSU_pool" returns noop for request 2
> modcall[post-auth]: module "IM2_pool" returns noop for request 2
> modcall[post-auth]: module "STAPS_pool" returns noop for request 2
> modcall[post-auth]: module "DEF_pool" returns noop for request 2
> modcall: group post-auth returns ok for request 2
>
>
>
>
>
> >
> >> You'll still need to configure the ippool modules and include those
> >> in the
> >> accounting section and post-auth section. Forgot to include that in the
> >> last email. A radiusd -X will show you exactly what is going on. If it
> >> doesn't work, please post that to the list will all output.
> >>
> >> ie:
> >>
> >> accounting {
> >> ...
> >> u2labo
> >> u3labo
> >> ...
> >> }
> >>
> >> post_auth {
> >> ...
> >> u2labo
> >> u3labo
> >> ...
> >> }
> >>
> >> On Wed, 17 Nov 2004, LALOT Dominique wrote:
> >>
> >>
> >>
> >>> Thanks,
> >>>
> >>> I have to leave, but the quick and last test I did with your advice,
> >>> gave me bad results. See tomorrow..
> >>> Using radtest, I don't get any IP, and there is very little doc about
> >>> ippool and the way it works.
> >>>
> >>> I suppose that the NAS is completely relying on radius for IP delivery.
> >>> I'm wondering what happen in case of the failure of the main radius
> >>> server.
> >>>
> >>> Dom
> >>>
> >>> Dustin Doris a ïcrit :
> >>>
> >>>
> >>>
> >>>>> Hello all,
> >>>>>
> >>>>> I've spent quite a long time trying to understand how freeradius
> >>>>> works
> >>>>> and trying to get everything I want working.
> >>>>> I am using Openldap since 2001 and I've no problems to understand
> >>>>> LDAP
> >>>>> as I wrote many programs around LDAP. In fact I don't understand how
> >>>>> groups are working under radius.
> >>>>>
> >>>>> My aim: I would like to distribute different IP pool for users.
> >>>>>
> >>>>> The best for me: In the users DN, we already have an attribute for a
> >>>>> laboratory, ie u2labo
> >>>>> I would like to say:
> >>>>> 1. authenticate the user in ldap (works ok)
> >>>>> 2. Get the attribute u2labo
> >>>>> 3 use that value to get the ip range (somewhere even outside ldap
> >>>>> (users)) to distribute the IP.
> >>>>>
> >>>>> I've tried many configurations without success. The debugging of ldap
> >>>>> show me just bind successfull without search for groups. I tried to
> >>>>> add radiusprofile Objectclass without success. So what is the
> >>>>> meaning
> >>>>> of groups in radius?.
> >>>>> can we say:
> >>>>> user fred attributes XXX member of group test
> >>>>> group test the rest of attributes.
> >>>>>
> >>>>> Could you give me the minimum to set in conf files to get it working?
> >>>>>
> >>>>> Thanks
> >>>>>
> >>>>> Dom
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >
>
> --
> Dominique LALOT
> IngÃnieur SystÃme RÃseau CISCAM Pole RÃseau
> Università de la MÃditerranÃe
> http://annuaire.univ.fr/showuser.php?uid=lalot
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
