Hi all! I am using freeradius 2.1.10 (from backports) on a Debian Lenny server to authenticate wireless users using EAP and normal users (from Ascend NAS and ASA5510) with CHAP and PAP and so on.
My backend is a LDAP directory (OpenLDAP). So far, everything is fine and working great. My question is more about fine tuning some aspects and some understanding issues with the way rlm_ldap adds (or doesn't add) attributes to the query/reply. I need to explain a bit about my environment: I have two LDAP attributes, which control the state of the account of a user: a) gifb-Status ("1" means enabled) b) gifb-NetzAccStatus ("1" again means enabled) - gifb-status gets set to "0" if the password expires or the account gets disabled because of other reasons. - gifb-NetzAccStatus gets set to "0" if the networking account has to be disabled If any of the two attributes is != 1, then the user has to be rejected. To achieve this, until recently I had a filter like the following for the ldap module: filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=gifb-NetzAccount)((gifb-status=1)(gifb-NetzAccStatus=1))" This worked OK, ie. the user was rejected if his account was disabled, because he wasn't even found by the ldap module. But this also resulted in somewhat ugly log entries: Sun Oct 3 20:38:18 2010 : Auth: Login incorrect ( [ldap] User not found): [XXXX123] (from client alb13 port 5 cli 00236CDEADBF via TLS tunnel) Sun Oct 3 20:38:18 2010 : Auth: Login incorrect: [XXXX123] (from client alb13 port 5 cli 00236CDEADBF) So, using unlang I created the following, adjusting my filter first ... filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=gifb-NetzAccount))" ... adding to the dictionary ... ATTRIBUTE GIFB-NetzAccStatus 3000 integer ATTRIBUTE GIFB-Status 3001 integer and then in the inner-tunnel: ,----[sites-enabled/inner-tunnel | ldap | | if ( !notfound ) { | update request { | GIFB-NetzAccStatus := "%{ldap:ldap:///dc=fh-giessen-friedberg,dc=de?GIFB-NetzAccStatus?sub?uid=%u}" | GIFB-Status := "%{ldap:ldap:///dc=fh-giessen-friedberg,dc=de?GIFB-Status?sub?uid=%u}" | } | if ( GIFB-NetzAccStatus != 1 ) { | update reply { | Reply-Message = "User denied by GIFB-NetzAccStatus" | } | reject | } | if ( GIFB-Status != 1 ) { | update reply { | Reply-Message = "User denied by GIFB-Status" | } | reject | } | } `---- This also works great, I get meaningful log-entries and everything is OK. Now, for my rather simple question: Why can't I just add the following to ldap.attrmap and have the ldap module add those two attributes automagically. Why do I have to use two separate ldap_xlat queries: checkItem GIFB-NetzAccStatus GIFB-NetzAccStatus checkItem GIFB-Status GIFB-Status I also tried this with "replyItem" instead of checkItem and also tried adding ":=" as the operator, but without the separate ldap_xlat queries both RADIUS-Attributes are not available after the normal ldap module ran. It seems I am missing some crucial part of information here or just lack the understanding of this part of Freeradius. Please enlighten me. Grüße, Sven. -- Sig lost. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html