Re: Personalizing ldap filters from users file

Mon, 19 Nov 2012 03:42:43 -0800 

El 19/11/12 11:17, Phil Mayers escribió:

On 11/19/2012 09:48 AM, Angel L. Mateo wrote:


ldap  {
   ...
   filter = "(&(mail=%{User-Name})(schacUserStatus=<urn prefix>:
%{X-Atica-Service}:enabled))"
   ...
}




DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es
     User-Name := `%{User-Name}`,
     Fall-Through = No

     But this does not work.


It's important to understand how the "users" file works. The line you've
written above says:

set "X-Actica-Service" to "vpn" in the "control" items if it's not
already set (= operator)

set "Auth-Type" to "LDAP" in the "control" items if it's not already set
(= operatgor)

*if* Realm == um.es

and then

set "User-Name" to "%{User-Name}" on the "reply" items *always* (:=
operator)

set "Fall-Through" to "No" in the "reply" items if it's not already set
(= operator)

So, any variable you set on that first line goes in the control items,
so must be referred to there.

Either modify your LDAP filter to reference:

   "...%{control:X-Actica-Service}..."

...or better yet, convert the logic to an "unlang" stanza which is more
flexible and more explicit / less "magic", hence easier to understand,
*and* lets you set variables in any list. Like so:

authorize {
   ...
   if (Realm == um.es) {
     update request {
       X-Actica-Service = "..."
     }
   }
   else {
     ...
   }

   ldap
}


        Thank you, this way it works.


Also: I note you are setting "Auth-Type". This is almost always wrong,
and almost certainly so in your case. Correct config of the LDAP module
should mean you don't need to set Auth-Type, and it's usually harmful to
do so. If it's not causing you a problem it's probably because you're
using the "=" rather than ":=" operator.


	It works for me. Maybe it's because I don't use ldap in authorize, but 
just in:


authenticate {
        Auth-Type LDAP {
                ldap
        }
}


	I don't know the real cause of this (I have inherited this 
configuration from an old config I didn't do it.


--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 868888337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to