Works well (on debug). But I've juste two more questions:
1. I would like to have a catch all definition if suppannaffectation gives a non existing pool-name
ÂÂ I put this in users:
ÂÂ DEFAULT Service-Type == Framed-User, Pool-Name := "DEF_pool"
ÂÂÂÂÂÂÂ Framed-MTU = 1500,
ÂÂÂÂÂÂÂ Fall-Through = Yes
ÂÂ but didn't work
2. I would like the pool-name to be case insensitive, so it will work for SCECO or ScEco

Is it possible?.

Dustin Doris a ÃcritÂ:
What happens if you do this.

Add the following to ldap.attrmap

checkItem	Pool-Name		supannaffectation

Then remove all those users file entries with Ldap-Group, so it just does
an LDAP lookup, not specifically matching on groups.

This should pool the supannafecction attribute from ldap and make that the
Pool-Name check item, which should then fire ippool.

-Dusty Doris

On Thu, 18 Nov 2004, LALOT Dominique wrote:

  
Thanks for all, because it's starting to work.

But: I noticed that I call ldap for each group before founding the right
one. An for me the group name is just an ldap attr to read.
Then when finding the group, for the IP pool, I have to read all the
pools even when it return  ok.

Hopefully, I  have less than 10 groupes!. groupmembership is
supannaffectation.

Is there something else to do?.

Thanks

dom

users:
DEFAULT Ldap-Group == IUT, Pool-Name := "IUT_pool"
        Service-Type == Framed-User,
        Fall-Through = no

DEFAULT Ldap-Group == Medecine, Pool-Name := "Medecine_pool"
        Service-Type == Framed-User,
        Fall-Through = no

DEFAULT Ldap-Group == ESIL, Pool-Name := "Esil_pool"
        Service-Type == Framed-User,
        Fall-Through = no

DEFAULT Ldap-Group == Pharo, Pool-Name := "Pharo_pool"
        Service-Type == Framed-User,
        Fall-Through = no

DEFAULT Ldap-Group == Sciences, Pool-Name := "Sciences_pool"
        Service-Type == Framed-User,
        Fall-Through = no

DEFAULT Ldap-Group == Pharmacie, Pool-Name := "Pharmacie_pool"
        Service-Type == Framed-User,
        Fall-Through = no

DEFAULT Ldap-Group == OSU, Pool-Name := "OSU_pool"
        Service-Type == Framed-User,
        Fall-Through = no

DEFAULT Ldap-Group == IM2, Pool-Name := "IM2_pool"
        Service-Type == Framed-User,
        Fall-Through = no

DEFAULT Ldap-Group == STAPS, Pool-Name := "STAPS_pool"
        Service-Type == Framed-User,
        Fall-Through = no



rlm_ldap: user fred authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=people,ou=u2,dc=univ-mrs,dc=fr'
radius_xlat:  '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=ScEco)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group ScEco not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=people,ou=u2,dc=univ-mrs,dc=fr'
radius_xlat:  '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=IUT)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group IUT not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=people,ou=u2,dc=univ-mrs,dc=fr'
radius_xlat:  '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=Medecine)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group Medecine not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=people,ou=u2,dc=univ-mrs,dc=fr'
radius_xlat:  '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=ESIL)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group ESIL not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=people,ou=u2,dc=univ,dc=fr'
radius_xlat:  '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=Pharo)(uid=fred))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr,
with filter (objectclass=*)
rlm_ldap::groupcmp: Group Pharo not found ????or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=people,ou=u2,dc=univ,dc=fr'
radius_xlat:  '(uid=fred)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with
filter (&(supannaffectation=Sciences)(uid=fred))
rlm_ldap::ldap_groupcmp: User found in group Sciences
rlm_ldap: ldap_release_conn: Release Id: 0


modcall: entering group post-auth for request 2
  modcall[post-auth]: module "ScEco_pool" returns noop for request 2
  modcall[post-auth]: module "IUT_pool" returns noop for request 2
  modcall[post-auth]: module "Medecine_pool" returns noop for request 2
  modcall[post-auth]: module "Esil_pool" returns noop for request 2
  modcall[post-auth]: module "Pharo_pool" returns noop for request 2
rlm_ippool: Searching for an entry for nas/port: 255.255.255.255/1813
rlm_ippool: Found a stale entry for ip/port: 139.124.210.71/1813
rlm_ippool: num: 0
rlm_ippool: Searching for an entry for nas/port: 255.255.255.255/1813
rlm_ippool: Allocating ip to nas/port: 255.255.255.255/1813
rlm_ippool: num: 1
rlm_ippool: Allocated ip 139.124.210.55 to client on nas
255.255.255.255,port 1813
  modcall[post-auth]: module "Sciences_pool" returns ok for request 2
  modcall[post-auth]: module "Pharmacie_pool" returns noop for request 2
  modcall[post-auth]: module "OSU_pool" returns noop for request 2
  modcall[post-auth]: module "IM2_pool" returns noop for request 2
  modcall[post-auth]: module "STAPS_pool" returns noop for request 2
  modcall[post-auth]: module "DEF_pool" returns noop for request 2
modcall: group post-auth returns ok for request 2





    
You'll still need to configure the ippool modules and include those
in the
accounting section and post-auth section.  Forgot to include that in the
last email.  A radiusd -X will show you exactly what is going on.  If it
doesn't work, please post that to the list will all output.

ie:

accounting {
...
u2labo
u3labo
...
}

post_auth {
...
u2labo
u3labo
...
}

On Wed, 17 Nov 2004, LALOT Dominique wrote:



        
Thanks,

I have to leave, but the quick and last test I did with your advice,
gave me bad results. See tomorrow..
Using radtest, I don't get any IP, and there is very little doc about
ippool and the way it works.

I suppose that the NAS is completely relying on radius for IP delivery.
I'm wondering what happen in case of the failure of the main radius
server.

Dom

Dustin Doris a ïcrit :



          
Hello all,

I've spent quite a long time trying to understand how freeradius
works
and trying to get everything I want working.
I am using Openldap since 2001 and I've no problems to understand
LDAP
as I wrote many programs around LDAP. In fact I don't understand how
groups are working under radius.

My aim: I would like to distribute different IP pool for users.

The best for me: In the users DN, we already have an attribute for a
laboratory, ie u2labo
I would like to say:
1. authenticate the user in ldap (works ok)
2. Get the attribute u2labo
3 use that value to get the ip range (somewhere even outside ldap
(users)) to distribute the IP.

I've tried many configurations without success. The debugging of ldap
show me just bind successfull without search for  groups. I tried to
add  radiusprofile Objectclass without success. So what  is the
meaning
of groups in radius?.
can we say:
user fred  attributes XXX member of group test
group test the rest of attributes.

Could you give me the minimum to set in conf files to get it working?

Thanks

Dom




              
--
Dominique LALOT
IngÃnieur SystÃme RÃseau CISCAM Pole RÃseau
Università de la MÃditerranÃe http://annuaire.univ.fr/showuser.php?uid=lalot


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

    

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


  

-- 
Dominique LALOT 
IngÃnieur SystÃme RÃseau CISCAM Pole RÃseau
Università de la MÃditerranÃe http://annuaire.univ-mrs.fr/showuser.php?uid=lalot

Reply via email to