Ok I finally realise what I was doing wrong. To retrieve one Active Directory user's group it's not necessary to use de replyItem in ldap.attrmap. It's only necessary to configure "correctly" the ldap module. So I resolved this using the following configuration:
Sáb, 2008-07-12 às 21:58 +0100, Nelson Vale escreveu: > Hi all, > > > I have my freeradius deploy (2.0.2) configured to authenticate users > against Active Directory and that is working fine. But I want to > retrieve user's profile from Active Directory, to add VLAN ID > (Tunel-Private-Group-ID) to Access-Accept reply. > > I really don't know how to do this and I could find a clear solution, > either in documentation (rlm_ldap) ot by googling. So I would > appreciate if someone could give me a hand on this. > > What I've done so far is to add this entry to ldap.attrmap file: > "replyItem radiusProfileDn memberOf". The profile I want to retrieve > is the CN in this object like "cn=PROFILE,dc=domain,dc=com", but in > radius debug I'm getting this error: > > > ++[ntdomain] returns noop > rlm_ldap: - authorize > rlm_ldap: performing user authorization for figo > expand: %{Stripped-User-Name} -> figo > expand: (sAMAccountName= > %{%{Stripped-User-Name}:-%{%{User-Name}:-none}}) -> > (sAMAccountName=figo) > expand: dc=ldaptest,dc=pt -> dc=ldaptest,dc=com > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in dc=ldaptest,dc=com, with filter > (sAMAccountName=figo) > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: Failed to create the pair: Invalid octet string > "CN=grupo1,DC=ldaptest,DC=com" for attribute name "radiusProfileDn" > WARNING: No "known good" password was found in LDAP. Are you sure > that the user is configured correctly? > rlm_ldap: user figo authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > ++[ldap] returns ok > rlm_eap: EAP packet type response id 8 length 80 > rlm_eap: Continuing tunnel setup. > ++[eap] returns ok > ++[mschap] returns noop > expand: %{Stripped-User-Name} -> figo > expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> > figo > ++[files] returns noop > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > +- entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP/peap > rlm_eap: processing type peap > rlm_eap_peap: Authenticate > rlm_eap_tls: processing TLS > eaptls_verify returned 7 > rlm_eap_tls: Done initial handshake > eaptls_process returned 7 > rlm_eap_peap: EAPTLS_OK > rlm_eap_peap: Session established. Decoding tunneled attributes. > rlm_eap_peap: Received EAP-TLV response. > rlm_eap_peap: Success > Using saved attributes from the original Access-Accept > rlm_eap: Freeing handler > ++[eap] returns ok > Login OK: [LDAPTEST.COM\\figo/<via Auth-Type = EAP>] (from client > portatil port 0 cli 02-00-00-00-00-01) > Sending Access-Accept of id 17 to 192.168.10.200 port 33000 > User-Name = "figo" > MS-MPPE-Recv-Key = > 0x69e42b94d9070d50bf16c6f70d904c94799f99dc1aeb8f2c7485968674c5cad5 > MS-MPPE-Send-Key = > 0xa67fc2e54c9ec96e583225bb123ed223e55846230bbdb26eeb6bb0b16bd5c57d > EAP-Message = 0x03080004 > Message-Authenticator = 0x00000000000000000000000000000000 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html