Hello all! I've been trying unsuccessfully to get this setup to work, but unfortunately haven't been able so far.
My need is to return the contents of three LDAP fields as replies on the
Access-Accept package.
The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM
Cookbook -- DJ 5.1.5,3).
My config is as follows:
on ldap.attrmap:
> checkItem cLDAPdepartmentNumber departmentNumber
> replyItem rLDAPdepartmentNumber departmentNumber
> checkItem cLDAPaffiliation eduPersonPrimaryAffiliation
> replyItem rLDAPaffiliation eduPersonPrimaryAffiliation
> checkItem cLDAPou ou
> replyItem rLDAPou ou
on dictionary.university:
> VENDOR Unicamp 12345
>
> BEGIN-VENDOR Unicamp
> ATTRIBUTE University-LDAP-departmentNumber 1 string
> ATTRIBUTE University-LDAP-affiliation 2 string
> ATTRIBUTE University-LDAP-organizationUnit 3 string
> END-VENDOR University
(the attributes, at least, are recognized correctly on the reply).
on the inner-tunnel configuration file::
> post-auth {
> reply_log
> Post-Auth-Type REJECT {
> reply_log
> }
> redundant {
> sql-server1
> sql-server2
> }
> update outer.reply {
> User-Name := %{reply:User-Name}
> University-LDAP-departmentNumber :=
> %{rLDAPdepartmentNumber}
> }
radiusd -v is:
> radiusd: FreeRADIUS Version 2.1.3, for host i386-portbld-freebsd7.0, built on
> Jan 9 2009 at 07:02:31
but unfortunately, something does not translate right: From that I've gathered
running on radiusd -X, the relevant parts are:
- first, an error on rlm_ldap:
> ++- entering policy redundant {...}
> [ldap1] performing user authorization for u...@university
> [ldap1] expand: (eduPersonPrincipalName=%{User-Name}) ->
> (edupersonprincipalname=u...@university)
> [ldap1] expand: dc=university -> dc=university
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap1.university:389, authentication 0
> rlm_ldap: starting TLS
> rlm_ldap: bind as / to ldap1.university:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=university, with filter
> (edupersonprincipalname=u...@university)
> [ldap1] checking if remote access for u...@university is allowed by
> dialupAccess
> [ldap1] looking for check items in directory...
> rlm_ldap: Failed to create the pair: Invalid octet string "cc " for
> attribute name "cLDAPou"
> rlm_ldap: Failed to create the pair: Invalid octet string "staff" for
> attribute name "cLDAPaffiliation"
> rlm_ldap: Failed to create the pair: Invalid octet string "20.5.2.4.0.0.0"
> for attribute name "cLDAPdepartmentNumber"
> rlm_ldap: radiusSimultaneousUse -> Simultaneous-Use == 1
> [ldap1] looking for reply items in directory...
> rlm_ldap: Failed to create the pair: Invalid octet string "cc " for
> attribute name "rLDAPou"
> rlm_ldap: Failed to create the pair: Invalid octet string "staff" for
> attribute name "rLDAPaffiliation"
> rlm_ldap: Failed to create the pair: Invalid octet string "20.5.2.4.0.0.0"
> for attribute name "rLDAPdepartmentNumber"
> WARNING: No "known good" password was found in LDAP. Are you sure that the
> user is configured correctly?
> [ldap1] Setting Auth-Type = LDAP
> [ldap1] user u...@university authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> +++[ldap1] returns ok
- second: the reply's content is not getting translated right. Instead
of sending the content's of the variables, it just sends the variable
names outright:
> Sending Access-Accept of id 235 to xxx.xxx.xxx.xxx port 32783
> User-Name = "%{reply:User-Name}"
> University-LDAP-departmentNumber = "%{rLDAPdepartmentNumber}"
> MS-MPPE-Recv-Key = blah
> MS-MPPE-Send-Key = blah
> EAP-Message = 0x03050004
> Message-Authenticator = 0x00000000000000000000000000000000
> Finished request 5.
So, the most important question is: how do i reference the content's of
the variables on the post-auth update section?
Second: what's causing the check and reply items not to get translated?
could this be an LDAP error or is there an error on the ldap.attrmap
file?
By the way, the authentication, authorization, everything is working
fine already (including the TTLS/PAP part).
Thanks in advance for any thoughts..
smime.p7s
Description: S/MIME cryptographic signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
