Works well (on debug). But I've juste two more questions:
1. I would like to have a catch all definition if suppannaffectation
gives a non existing pool-name
ÂÂ I put this in users:
ÂÂ DEFAULT Service-Type == Framed-User, Pool-Name := "DEF_pool"
ÂÂÂÂÂÂÂ Framed-MTU = 1500,
ÂÂÂÂÂÂÂ Fall-Through = Yes
ÂÂ but didn't work
2. I would like the pool-name to be case insensitive, so it will work
for SCECO or ScEco
Is it possible?.
Dustin Doris a ÃcritÂ:
What happens if you do this.
Add the following to ldap.attrmap
checkItem Pool-Name supannaffectation
Then remove all those users file entries with Ldap-Group, so it just does
an LDAP lookup, not specifically matching on groups.
This should pool the supannafecction attribute from ldap and make that the
Pool-Name check item, which should then fire ippool.
-Dusty Doris
On Thu, 18 Nov 2004, LALOT Dominique wrote:
Thanks for all, because it's starting to work.
But: I noticed that I call ldap for each group before founding the right
one. An for me the group name is just an ldap attr to read.
Then when finding the group, for the IP pool, I have to read all the
pools even when it return ok.
Hopefully, I have less than 10 groupes!. groupmembership is
supannaffectation.
Is there something else to do?.
Thanks
dom
users:
DEFAULT Ldap-Group == IUT, Pool-Name := "IUT_pool"
Service-Type == Framed-User,
Fall-Through = no
DEFAULT Ldap-Group == Medecine, Pool-Name := "Medecine_pool"
Service-Type == Framed-User,
Fall-Through = no
DEFAULT Ldap-Group == ESIL, Pool-Name := "Esil_pool"
Service-Type == Framed-User,
Fall-Through = no
DEFAULT Ldap-Group == Pharo, Pool-Name := "Pharo_pool"
Service-Type == Framed-User,
Fall-Through = no
DEFAULT Ldap-Group == Sciences, Pool-Name := "Sciences_pool"
Service-Type == Framed-User,
Fall-Through = no
DEFAULT Ldap-Group == Pharmacie, Pool-Name := "Pharmacie_pool"
Service-Type == Framed-User,
Fall-Through = no
DEFAULT Ldap-Group == OSU, Pool-Name := "OSU_pool"
Service-Type == Framed-User,
Fall-Through = no
DEFAULT Ldap-Group == IM2, Pool-Name := "IM2_pool"
Service-Type == Framed-User,
Fall-Through = no
DEFAULT Ldap-Group == STAPS, Pool-Name := "STAPS_pool"
Service-Type == Framed-User,
Fall-Through = no
rlm_ldap: user fred authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr'
radius_xlat: '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=ScEco)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group ScEco not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr'
radius_xlat: '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=IUT)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group IUT not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr'
radius_xlat: '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=Medecine)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group Medecine not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr'
radius_xlat: '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=ESIL)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group ESIL not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=people,ou=u2,dc=univ,dc=fr'
radius_xlat: '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=Pharo)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group Pharo not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=people,ou=u2,dc=univ,dc=fr'
radius_xlat: '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=Sciences)(uid=fred))
rlm_ldap::ldap_groupcmp: User found in group Sciences
rlm_ldap: ldap_release_conn: Release Id: 0
modcall: entering group post-auth for request 2
modcall[post-auth]: module "ScEco_pool" returns noop for request 2
modcall[post-auth]: module "IUT_pool" returns noop for request 2
modcall[post-auth]: module "Medecine_pool" returns noop for request 2
modcall[post-auth]: module "Esil_pool" returns noop for request 2
modcall[post-auth]: module "Pharo_pool" returns noop for request 2
rlm_ippool: Searching for an entry for nas/port: 255.255.255.255/1813
rlm_ippool: Found a stale entry for ip/port: 139.124.210.71/1813
rlm_ippool: num: 0
rlm_ippool: Searching for an entry for nas/port: 255.255.255.255/1813
rlm_ippool: Allocating ip to nas/port: 255.255.255.255/1813
rlm_ippool: num: 1
rlm_ippool: Allocated ip 139.124.210.55 to client on nas
255.255.255.255,port 1813
modcall[post-auth]: module "Sciences_pool" returns ok for request 2
modcall[post-auth]: module "Pharmacie_pool" returns noop for request 2
modcall[post-auth]: module "OSU_pool" returns noop for request 2
modcall[post-auth]: module "IM2_pool" returns noop for request 2
modcall[post-auth]: module "STAPS_pool" returns noop for request 2
modcall[post-auth]: module "DEF_pool" returns noop for request 2
modcall: group post-auth returns ok for request 2
You'll still need to configure the ippool modules and include those
in the
accounting section and post-auth section. Forgot to include that in the
last email. A radiusd -X will show you exactly what is going on. If it
doesn't work, please post that to the list will all output.
ie:
accounting {
...
u2labo
u3labo
...
}
post_auth {
...
u2labo
u3labo
...
}
On Wed, 17 Nov 2004, LALOT Dominique wrote:
Thanks,
I have to leave, but the quick and last test I did with your advice,
gave me bad results. See tomorrow..
Using radtest, I don't get any IP, and there is very little doc about
ippool and the way it works.
I suppose that the NAS is completely relying on radius for IP delivery.
I'm wondering what happen in case of the failure of the main radius
server.
Dom
Dustin Doris a ïcrit :
Hello all,
I've spent quite a long time trying to understand how freeradius
works
and trying to get everything I want working.
I am using Openldap since 2001 and I've no problems to understand
LDAP
as I wrote many programs around LDAP. In fact I don't understand how
groups are working under radius.
My aim: I would like to distribute different IP pool for users.
The best for me: In the users DN, we already have an attribute for a
laboratory, ie u2labo
I would like to say:
1. authenticate the user in ldap (works ok)
2. Get the attribute u2labo
3 use that value to get the ip range (somewhere even outside ldap
(users)) to distribute the IP.
I've tried many configurations without success. The debugging of ldap
show me just bind successfull without search for groups. I tried to
add radiusprofile Objectclass without success. So what is the
meaning
of groups in radius?.
can we say:
user fred attributes XXX member of group test
group test the rest of attributes.
Could you give me the minimum to set in conf files to get it working?
Thanks
Dom
--
Dominique LALOT
IngÃnieur SystÃme RÃseau CISCAM Pole RÃseau
Università de la MÃditerranÃe http://annuaire.univ.fr/showuser.php?uid=lalot
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Dominique LALOT
IngÃnieur SystÃme RÃseau CISCAM Pole RÃseau
Università de la MÃditerranÃe http://annuaire.univ-mrs.fr/showuser.php?uid=lalot
|
