Hi Alan
OK - Got working - did a look at rlm_ldap.c, and ldap.h
(ldap_is_ldap_url and ldap_url_parse fuctions) - altough I have one
issue more, ... se below
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {
ok
}
else {
reject
}
debug is
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" )
rlm_ldap: - ldap_xlat
expand: ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices -> ldap://
127.0.0.1/CN=testuser,OU=Users,DC=marcolinux,DC=local?eckAllowedServices
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
CN=testuser,OU=Users,DC=marcolinux,DC=local, with filter (null)
rlm_ldap: Adding attribute eckAllowedServices, value: ftp
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: - ldap_xlat end
expand: %{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices} -> ftp
expand: %{NAS-Identifier} -> ftp
? Evaluating ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++? if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) -> TRUE
++- entering if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) {...}
+++[ok] returns ok
++- if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}" == "%{NAS-
Identifier}" ) returns ok
++ ... skipping else for request 0: Preceding "if" was taken
Found Auth-Type = PAM
but it works only if eckAllowedServices has only one value.
eckAllowedServices is a multi-string attribute, that is for example
eckAllowedServices[0]=httpProxy
eckAllowedServices[1]=ftp
eckAllowedServices[2]=VPN
ecc
it works only for the first element of the array, ... so in the
preceding example only if eckAllowedServices[0]=ftp
is there a way to have it recursively process all the elements of the
array to do the comparison?
I tried
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices[*]}" == "%
{NAS-Identifier}" )
and
if ("%{ldap:ldap://127.0.0.1/CN=%{User-
Name},OU=Users,DC=marcolinux,DC=local?eckAllowedServices}[*]" == "%
{NAS-Identifier}" )
but had no luck
Marco Carcano
just for info (for other users that may read this post in the future):
I was wondering if it performed an anonymous bind to the directory -
LDAP URL does not contain credentials, so I raised up ldap server
verbosity and gave a look to the log, ....
it works authenticated as in modules/ldap - I think this is really
important: in my server I prohibited anonymous binding also from
localhost
Il giorno 26/nov/10, alle ore 09:31, Alan DeKok ha scritto:
Marco Carcano wrote:
I RTM unlang, but I have to admit I only got confused - The only
thing I
have understood is to write a simple statement like this (in
authorize
section)
if (NAS-Identifier == "ftp" ) {
ok
}
else {
reject
}
and I think is even wrong because returns always OK :(((((
And.... what does debug mode say?
I noticed on some posts people using a syntax like if (NAS-
Identifier ==
%{sql: SELECT ... BLA BLA} )
See "man unlang". This is documented.
but I have not been able to see a working example using ldap,
if (NAS-Identifier == "%{ldap: ... ldap stuff ... }") {
thinking at the %{sql:SELECT ...} example I tough I syntax almost
like this
if (NAS-Identifier ==
"ldap:cn=%{User-Name},ou=Users,dc=marcolinux,dc=local
(eckAllowedServices)" ) {
You didn't use the same form as the SQL example. The brackets have
*meaning*: %{}
See "man unlang".
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html