> > I am running FreeRADIUS version 1.1.2 on Debian Linux (Stable x86). > I am trying to map an LDAP attribute to a RADIUS attribute. > A little > background, we have a RADIUS client that needs to make decisions > based on an LDAP attribute (we'll call it User-Category). Based on > the value of this attribute the end user will be given rights on the > network. So, I setup my ldap.attrmap with *only* the following line: > > replyItem User-Category orgPrimaryAffiliation >
> rlm_ldap: Adding orgPrimaryAffiliation as User-Category, value > auth: type "LDAP" > Processing the authenticate section of radiusd.conf > modcall: entering group LDAP for request 4 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "mytestuser" with password "12345" > rlm_ldap: user DN: orgUUID=53d66879-e0a0- > da8f-4c49-514b567713ad,ou=People,dc=org,dc=com > rlm_ldap: (re)connect to ldapserver.org.com:389, authentication 1 > rlm_ldap: bind as orgUUID=53d66879-e0a0- > da8f-4c49-514b567713ad,ou=People,dc=org,dc=com/12345 to > ldapserver.org.com:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > rlm_ldap: user mytestuser authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 4 > modcall: leaving group LDAP (returns ok) for request 4 > Sending Access-Accept of id 192 to 127.0.0.1 port 32904 > Finished request 4 Ok everything seems ok untill now... > The problem is that I never see the RADIUS server return the "User- > Category" attribute back to the RADIUS client. It seems to > only want > to send the "Access-Accept" or "Access-Reject" message with no User- > Category value. I tried including the "User-Category" in the > request > with no luck. I also modified the "attrs" file to include this > attribute: > > DEFAULT > Service-Type == Framed-User, > Service-Type == Login-User, > Login-Service == Telnet, > Login-Service == Rlogin, > Login-Service == TCP-Clear, > Login-TCP-Port <= 65536, > Framed-IP-Address == 255.255.255.254, > Framed-IP-Netmask == 255.255.255.255, > Framed-Protocol == PPP, > Framed-Protocol == SLIP, > Framed-Compression == Van-Jacobson-TCP-IP, > Framed-MTU >= 576, > Framed-Filter-ID =* ANY, > Reply-Message =* ANY, > User-Category =* ANY, > Proxy-State =* ANY, > Session-Timeout <= 28800, > Idle-Timeout <= 600, > Port-Limit <= 2 > > But no luck there either. Any help is greatly appreciated. Yes, but I don't think you can create a new Radius attribute like this. You should at least declare it in a dictionnary (wince a Radius attribute corresponds to a number in fact). See /etc/raddb/dictionnary and any Included files. Can anyone confirm my analysis and propose a procedure to create new attributes ? Isn't i necessary to register new attributes/number somewhere ? Is it possible to define "private attributes" ? Regards, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html