Long winded response with many examples and captures of test sessions
coming up:
> Well, you are seeing two problems - the first was a "bug" in 2.14.1 in
that
> only a single attribute would be handled by AddToReplyIfNotExist.
Alrighty. This is fixed in 2.15?
> However the
> second problem with what you are doing is that after the first
insertion of the
> Ascend-Data-Filter, you then have an attribute of that name, and
further
> additions with the same name will fail, by definition.
?? How do I send back multiple defintions of the same attribute? If I
set this up as a 'replyitem' (pulled from LDAP) it works fine. Its just
when its being pulled from the configuration file that it fails.
How would you send back a complex data filter?
> I think you will have to send me a copy of your configuration file
together
> with an explanation of what you are trying to do.
No problem. Here it is:
------config file-----------
<Realm mydomain.com>
AuthByPolicy ContinueUntilAccept
<AuthBy SQL>
DBSource dbi:Pg:dbname=radiator;host=10.0.0.1
DBUsername
DBAuth
# by leaving 'AuthSelect' blank... no authentication is done
AuthSelect
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct_Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef ASYNCIPADDRESS,Framed-IP-Address
</AuthBy>
<AuthBy LDAP>
HoldServerConnection
NoDefaultIfFound
Host localhost
Port 389
BaseDN ou=mydomain.com, o=mycompany
UsernameAttr uid
PasswordAttr userpassword
AuthAttrDef netmask, Framed-IP-Netmask, reply
ReplyAttr replyitems
AddToReplyIfNotExist
Service-Type=Framed-User,Framed-Protocol=PPP,Ascend-Assign-IP-Pool=0
# AddToReplyIfNotExist Ascend-Data-Filter="ip in forward tcp
est",Ascend-Data-Filter="ip in forward dstip 10.0.0.5",
Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in
forward"
</AuthBy>
</Realm>
---------------END-----------
The reasoning. The 'AddToReplyIfNotExist' that is not commented out is
the one I'm currently using (all attributes _ARE_ being returned
properly BTW). The commented one is the data filter that I was testing.
The only attribute that gets sent is the first one (which is bad because
it'll only forward established connections). What I _WANT_ to happen is
for an entire filter sequence to be sent to the NAS that says:
if its an established connection, forward it
if the destination is 10.0.0.5, forward it
if the destination port is 25, drop it
forward everything else
The purpose of this is to restrict dialup users to only being able to
use designated SMTP relays. If I add this to an individual user and
allow it to be pulled in via ReplyAttr (from OpenLDAP):
uid=seames, ou=mydomain.com, o=mycompany
ou=mydomain.com
userpassword=supersecretpassword
gecos=Steve Ames
loginshell=/usr/local/bin/tcsh
protocol=PPP
uid=seames
homedirectory=/home/s/seames
enabled=1
replyitems=Ascend-Data-Filter="ip in forward tcp
est",Ascend-Data-Filter="ip in forward dstip 10.0.0.5",
Ascend-Data-Filter="ip in drop tcp dstport=25",Ascend-Data-Filter="ip in
forward"
This works just fine. All of the attributes are returned correctly and
in the order they appear:
winrad1# radpwtst -s 127.0.0.1 -secret supersecret -trace -user
[EMAIL PROTECTED] -password supersecretpassword
Code: Access-Request
Identifier: 211
Authentic: 1234567890123456
Attributes:
User-Name = "[EMAIL PROTECTED]"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Port = 1234
NAS-Port-Type = Async
User-Password = "<213>*S<191>U<190><8> K<230>Yze1<22><247>"
sending Access-Request...
OK
Code: Access-Accept
Identifier: 211
Authentic: <11>~<226><184>3<167><156>;<167>q=<241><196>o<218><224>
Attributes:
Ascend-Data-Filter = ip in forward tcp est
Ascend-Data-Filter = ip in forward dstip 10.0.0.5/32
Ascend-Data-Filter = ip in drop tcp dstport = 25
Ascend-Data-Filter = ip in forward
Service-Type = Framed-User
Framed-Protocol = PPP
Maximum-Time = 0
Works fine from a ReplyAttr. But If the account doesn't have the
ReplyAttr information and I, instead, want to insert it using
"AddToReplyIfNotExist" then it fails.
Help?
-Steve
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.