Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>
>> Here is the content of a packet received by radiusd:
>>
>
> Weird, but OK.
>
>
>> Futhermore, to reply to Alan about the radiusUserCategory, it is given
>> with the radius.schema for ldap. Is it a useless attribute then?
>>
>
> Yes.
>
>
>> I'll be checking this afternoon and testing about putting more info in
>> ldap.attrmap to see if the filters work.
>>
>
> See also doc/rlm_ldap. This *is* documented.
>
> Alan DeKok.
>
>
When filling the ldap.attrmap, here is what I get:
Info: [ldap] WARNING: Deprecated conditional expansion ":-". See "man
unlang" for details
Info: [ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}})
-> (uid=bobalice)
Info: [ldap] expand: dc=testbed,dc=lan -> dc=testbed,dc=lan
Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Debug: rlm_ldap: performing search in dc=testbed,dc=lan, with filter
(uid=bobalice)
Info: [ldap] checking if remote access for bobalice is allowed by
radiusTunnelPrivateGroupId
Info: [ldap] Added User-Password =
in check items
Info: [ldap] No default NMAS login sequence
Info: [ldap] looking for check items in directory...
Debug: rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0
== "34"
Debug: rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
Debug: rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
Debug: rlm_ldap: userPassword -> User-Password == "
"
Debug: rlm_ldap: radiusNASIpAddress -> NAS-IP-Address == 10.1.1.2
Debug: rlm_ldap: sambaNtPassword -> NT-Password ==
Debug: rlm_ldap: sambaLmPassword -> LM-Password ==
Debug: rlm_ldap: ntPassword -> NT-Password ==
Debug: rlm_ldap: lmPassword -> LM-Password ==
Debug: rlm_ldap: radiusCallingStationId -> Calling-Station-Id ==
"00-15-42-7a-82-b4"
Info: [ldap] looking for reply items in directory...
Info: [ldap] user bobalice authorized to use remote access
Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Info: ++[ldap] returns ok
The thing is, it is just READING the ldap content.... and not comparing
to what the NAS is sending.
Tunnel-Private-Group-Id:0 == "34" actually I logged in using
Tunnel-Private-Group-Id:0 == "1" .
I tried to add those check in the users file, but it didn't work.
I read the rlm_ldap manual, and it's not talking about those types of
attributes....
So I'm wondering where to tell radius: "compare the ldap attributes with
what the NAS sent you, and if anything is different, reject the packet".
I guess that I'll have to wait this is resolved before trying to have
radius putting the user in the proper vlan. (doing things in the right
order???)
Regards,
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
