Re: Checkval weird issue with LDAP backend and PAM authentication

Thu, 25 Nov 2010 14:16:21 -0800 

Hi Alan
I RTM unlang, but I have to admit I only got confused - The only thing I have understood is to write a simple statement like this (in authorize section) 

        if (NAS-Identifier == "ftp" ) {
                ok
        }
        else {
                reject
        }

and I think is even wrong because returns always OK :(((((


I noticed on some posts people using a syntax like if (NAS-Identifier  
== %{sql: SELECT ... BLA BLA} )



but I have not been able to see a working example using ldap, ... may  
you provide an example, please? I've not been able to figure out how  
to write it down.



my situation is this: eckAllowedServices is a multistring attribute  
that contains a NAS-Identifier per line. I use service names as NAS- 
Identifiers in order to perform users authorization to services - eg  
authorize ftp access on a per users basis


this is what happen when I do a ldapsearch


ldapsearch -LLL -b cn=testuser,ou=Users,dc=marcolinux,dc=local  
eckAllowedServices -x -D  
"CN=FreeRADIUS,OU=AAA,OU=Services,DC=marcolinux,DC=local" -w  
wRtEYnd3sGkEa.Y4


dn: cn=testuser,ou=Users,dc=marcolinux,dc=local
eckAllowedServices: ftp
eckAllowedServices: httpProxy


that shows that the DN used by freeradius is able to read  
eckAllowedServices attribute



as I wrote in the previous post, I updated ldap.attrmap inserting the  
following line


checkItem       NAS-Identifier                  eckAllowedServices

in order to do the "binding" between radius and LDAP

and this is the extension of the LDAP schema (eck.schema)


attributetype ( 1.3.6.1.4.1.26309.1.1.11 NAME 'eckAllowedServices'    
DESC 'Services the user is allowed to login'   EQUALITY  
caseIgnoreIA5Match   SUBSTR caseIgnoreIA5SubstringsMatch   SYNTAX  
1.3.6.1.4.1.1466.115.121.1.26{128} )
objectClass ( 1.3.6.1.4.1.26309.1.1.1 NAME 'eckGenericObject'         
AUXILIARY        DESC 'an ECK generic object'        MAY ( locked $  
eckPublicKey $ eckPrivateKey $ userPKCS12 $ allowProxy $  
eckAllowedServices))



thinking at the %{sql:SELECT ...} example I tough I syntax almost like  
this



        if (NAS-Identifier == "ldap:cn=%{User- 
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) {

                ok
        }
        else {
                reject
        }


the aim is to check if NAS-Identifier supplied by the NAS is equal to  
one of the multivalue strings of eckAllowedServices



but I always got this message - it doesnt matter if the user has got  
or hasn't the eckAllowedServices attribute:



 if (NAS-Identifier == "ldap:cn=%{User- 
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" )
        expand: ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local  
(eckAllowedServices) ->  
ldap:cn=testuser,ou=Users,dc=marcolinux,dc=local (eckAllowedServices)
? Evaluating (NAS-Identifier == "ldap:cn=%{User- 
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE
++? if (NAS-Identifier == "ldap:cn=%{User- 
Name},ou=Users,dc=marcolinux,dc=local (eckAllowedServices)" ) -> FALSE

++- entering else else {...}
+++[reject] returns reject


I gave a look to ldap.log - with verbose debugging, ... I found  
references to eckAllowedServices, but not as a request for only one  
attribute - as I was expecting for the unlang expression I wrote: I  
got it mixed with lots of other attributes - that is the previous ldap  
lookup of the ldap module of the authorization section: in other words  
- I think the unlang expression above is useless and is not processed  
with a query to the ldap server . I certainly mis-typed the syntax,  
but I'm not able to figure a syntax :(((




Alan, may you provide an example unlang for LDAP? Maybe I am slow  
learner, but I think it could help me (and I hope others) a lot



Ah - I use freeradius2-2.1.7-7.el5 - that is the "official" from  
RedHat/CentOS - please, don't tell me I have to repackage it to 2.1.10  
- I had done this with quite a lot of other packages in ECK





Il giorno 23/nov/10, alle ore 14:33, Alan DeKok ha scritto:


marco wrote:

Sorry Alan


I've not realized that the logs had became a garbage :O( - maybe a  
webmail realted issue of my ISP.

Now I Bcc myself to see how does it appear to recipients


I tried "man unlang" but got no manual entry - I'm using Freeradius  
packaged for CentOS - I'll give a look to http://freeradius.org/radiusd/man/unlang.html 
, I think is the same.


 <shrug>  Upgrade to 2.1.10.  You're using a very old version of the
server.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to