On 2 Sep 2011, at 16:25, Olivier Beytrison wrote: > Thanks Arran for those answers, > >> No your check will not iterate over every instance of a value. >> >> In order to do that you'll need to use FreeRADIUS 3.x and use the foreach >> unlang construct or perl. > > hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or > i'll simply fall back to rlm_perl. But not on a friday evening, it will > wait till monday!
Tentative yes :) It'll only get truly production ready if people test it and report the bugs. But yes, it's good enough to build configs on, and good enough to test. If you do a git-clone then you can establish basic version control with something like: #!/bin/bash cd /usr/local/src/freeradius git pull make clean hash=`git log -n 1 --pretty=format:%h` ./configure --prefix="/usr/local/freeradius-$hash" --enable-developer make make install rm /usr/local/freeradius ln -s "/usr/local/freeradius-$hash" /usr/local/freeradius Once you find a commit that does all you want, stick with it until there's an official 3.x release and then upgrade. For certain fixes you'll be able to use git cherry-pick to pull in individual commits. -Arran > > >> -Arran >> >> On 2 Sep 2011, at 15:47, Olivier Beytrison wrote: >> >>> Hello, >>> >>> I'm trying since two week to do some multi-valued attribute checking on >>> my radius infrastructure. >>> >>> I've been looking to checkval, using the "users" file and such but with >>> no luck. >>> >>> I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local >>> authentication is made against an Novell eDirectory ldap server. >>> >>> I'm fetching a multi-valued attribute from the ldap into the control >>> list, and based on its content, I set the correct >>> Airespace-Interface-Name value. >>> >>> At the beginning I was using unlang to match the value, and it works >>> perfectly since 90% of the people only have one attribute. But some >>> people have multiple attributes. >>> >>> So far, that's what I've been using : >>> >>> In virtual server, at the end of authorize {} >>> >>> if (NAS-IP-Address =~ /160\.98\.156\..*/) { >>> $INCLUDE ${confdir}/secure-hefr.policy >>> >>> } >>> >>> secure-hefr.policy content : >>> >>> >>> if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { >>> update reply { >>> Airespace-Interface-Name := "wifi_eia-etu" >>> } >>> } >>> elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { >>> update reply { >>> Airespace-Interface-Name := "wifi_eia-col" >>> } >>> } >>> elsif { >>> } >>> [ ... ] >>> >>> Some debug from a user who is multi-valued : >>> >>> server eduroam-inner-tunnel-peap { >>> # Executing section authorize from file >>> /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap >>> +- entering group authorize {...} >>> ++[mschap] returns noop >>> [suffix] Looking up realm "hefr.ch" for User-Name = "didier.perr...@hefr.ch" >>> [suffix] Found realm "hefr.ch" >>> [suffix] Adding Realm = "hefr.ch" >>> [suffix] Authentication realm is LOCAL. >>> ++[suffix] returns ok >>> ++[control] returns ok >>> [eap] EAP packet type response id 11 length 6 >>> [eap] No EAP Start, assuming it's an on-going EAP conversation >>> ++[eap] returns updated >>> [auth_log] expand: >>> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> >>> /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 >>> [auth_log] >>> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d >>> expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 >>> [auth_log] expand: %t -> Fri Sep 2 15:45:08 2011 >>> ++[auth_log] returns ok >>> [linelog] expand: %{Packet-Type} -> Access-Request >>> [linelog] expand: %{%{Packet-Type}:-format} -> Access-Request >>> [linelog] expand: /var/log/freeradius/linelog -> >>> /var/log/freeradius/linelog >>> [linelog] expand: Requested access: %{User-Name} -> Requested >>> access: didier.perr...@hefr.ch >>> ++[linelog] returns ok >>> ++? if (User-Name =~ /(.*)@.*hefr.ch$/) >>> ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE >>> ++? if (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE >>> ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} >>> expand: %{1} -> didier.perroud >>> +++[request] returns ok >>> ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok >>> ++[files] returns noop >>> [ldap] performing user authorization for didier.perroud >>> [ldap] expand: (uid=%{Stripped-User-Name}) -> (uid=didier.perroud) >>> [ldap] expand: ou=courant,ou=people,o=hefr -> ou=courant,ou=people,o=hefr >>> [ldap] ldap_get_conn: Checking Id: 0 >>> [ldap] ldap_get_conn: Got Id: 0 >>> [ldap] performing search in ou=courant,ou=people,o=hefr, with filter >>> (uid=didier.perroud) >>> [ldap] Added the eDirectory password ******* in check items as >>> Cleartext-Password >>> [ldap] No default NMAS login sequence >>> [ldap] looking for check items in directory... >>> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == >>> "RORG-HEFR-EIFR-TICO-TLCO-$-RSM" >>> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RORG-MASO-$-RCA" >>> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == >>> "RACA-TICO-MSEI-MTIC-$-RCA" >>> [ldap] looking for reply items in directory... >>> [ldap] hessoRoleMemberKey -> Class = >>> 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d >>> [ldap] hessoRoleMemberKey -> Class = 0x524f52472d4d41534f2d242d524341 >>> [ldap] hessoRoleMemberKey -> Class = >>> 0x524143412d5449434f2d4d5345492d4d5449432d242d524341 >>> [ldap] user didier.perroud authorized to use remote access >>> [ldap] ldap_release_conn: Release Id: 0 >>> ++[ldap] returns ok >>> [pap] WARNING: Auth-Type already set. Not setting to PAP >>> ++[pap] returns noop >>> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) >>> ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE >>> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE >>> ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...} >>> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) >>> ? Evaluating (control:HESSO-MEMBER-KEY =~ >>> /RORG-HEFR-EIFR-INTR-INFO-.-RSM/) -> FALSE >>> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) >>> -> FALSE >>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) >>> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) -> FALSE >>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) -> FALSE >>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) >>> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) -> TRUE >>> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) -> TRUE >>> +++- entering elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ >>> ) {...} >>> >>> We can see that it didn't match control:HESSO-MEMBER-KEY =~ >>> /RORG-MASO.*RCA$/ while it has the correct value in the control list. >>> >>> How can I match this multi-valued attribute ? >>> >>> Regards, >>> Olivier B. >>> >>> -- >>> >>> Olivier Beytrison >>> Network & Security Engineer, HES-SO Fribourg >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> Arran Cudbard-Bell >> a.cudba...@freeradius.org >> >> RADIUS - Half the complexity of Diameter >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> > > -- > > Olivier Beytrison > Network & Security Engineer, HES-SO Fribourg > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html