El 19/11/12 11:17, Phil Mayers escribió:
On 11/19/2012 09:48 AM, Angel L. Mateo wrote:
ldap {
...
filter = "(&(mail=%{User-Name})(schacUserStatus=<urn prefix>:
%{X-Atica-Service}:enabled))"
...
}
DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es
User-Name := `%{User-Name}`,
Fall-Through = No
But this does not work.
It's important to understand how the "users" file works. The line you've
written above says:
set "X-Actica-Service" to "vpn" in the "control" items if it's not
already set (= operator)
set "Auth-Type" to "LDAP" in the "control" items if it's not already set
(= operatgor)
*if* Realm == um.es
and then
set "User-Name" to "%{User-Name}" on the "reply" items *always* (:=
operator)
set "Fall-Through" to "No" in the "reply" items if it's not already set
(= operator)
So, any variable you set on that first line goes in the control items,
so must be referred to there.
Either modify your LDAP filter to reference:
"...%{control:X-Actica-Service}..."
...or better yet, convert the logic to an "unlang" stanza which is more
flexible and more explicit / less "magic", hence easier to understand,
*and* lets you set variables in any list. Like so:
authorize {
...
if (Realm == um.es) {
update request {
X-Actica-Service = "..."
}
}
else {
...
}
ldap
}
Thank you, this way it works.
Also: I note you are setting "Auth-Type". This is almost always wrong,
and almost certainly so in your case. Correct config of the LDAP module
should mean you don't need to set Auth-Type, and it's usually harmful to
do so. If it's not causing you a problem it's probably because you're
using the "=" rather than ":=" operator.
It works for me. Maybe it's because I don't use ldap in authorize, but
just in:
authenticate {
Auth-Type LDAP {
ldap
}
}
I don't know the real cause of this (I have inherited this
configuration from an old config I didn't do it.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868889150
Fax: 868888337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html