Question regarding multivalued attributes in control list.
Hello, I'm trying since two week to do some multi-valued attribute checking on my radius infrastructure. I've been looking to checkval, using the users file and such but with no luck. I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local authentication is made against an Novell eDirectory ldap server. I'm fetching a multi-valued attribute from the ldap into the control list, and based on its content, I set the correct Airespace-Interface-Name value. At the beginning I was using unlang to match the value, and it works perfectly since 90% of the people only have one attribute. But some people have multiple attributes. So far, that's what I've been using : In virtual server, at the end of authorize {} if (NAS-IP-Address =~ /160\.98\.156\..*/) { $INCLUDE ${confdir}/secure-hefr.policy } secure-hefr.policy content : if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { update reply { Airespace-Interface-Name := wifi_eia-etu } } elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { update reply { Airespace-Interface-Name := wifi_eia-col } } elsif { } [ ... ] Some debug from a user who is multi-valued : server eduroam-inner-tunnel-peap { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch [suffix] Found realm hefr.ch [suffix] Adding Realm = hefr.ch [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] expand: %t - Fri Sep 2 15:45:08 2011 ++[auth_log] returns ok [linelog] expand: %{Packet-Type} - Access-Request [linelog] expand: %{%{Packet-Type}:-format} - Access-Request [linelog] expand: /var/log/freeradius/linelog - /var/log/freeradius/linelog [linelog] expand: Requested access: %{User-Name} - Requested access: didier.perr...@hefr.ch ++[linelog] returns ok ++? if (User-Name =~ /(.*)@.*hefr.ch$/) ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} expand: %{1} - didier.perroud +++[request] returns ok ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok ++[files] returns noop [ldap] performing user authorization for didier.perroud [ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud) [ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=courant,ou=people,o=hefr, with filter (uid=didier.perroud) [ldap] Added the eDirectory password *** in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-HEFR-EIFR-TICO-TLCO-$-RSM [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RACA-TICO-MSEI-MTIC-$-RCA [ldap] looking for reply items in directory... [ldap] hessoRoleMemberKey - Class = 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d [ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341 [ldap] hessoRoleMemberKey - Class = 0x524143412d5449434f2d4d5345492d4d5449432d242d524341 [ldap] user didier.perroud authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...} +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/) - FALSE +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) - FALSE +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) - FALSE +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) - FALSE +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) - TRUE +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) - TRUE +++- entering elsif
Re: Question regarding multivalued attributes in control list.
No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Plus the way you're doing policies is weird. Why don't you just use the policy module (policy.conf)? It'd be way more memory efficient if you're using the same policy multilple times, and you gain the ability to overload module calls... -Arran On 2 Sep 2011, at 15:47, Olivier Beytrison wrote: Hello, I'm trying since two week to do some multi-valued attribute checking on my radius infrastructure. I've been looking to checkval, using the users file and such but with no luck. I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local authentication is made against an Novell eDirectory ldap server. I'm fetching a multi-valued attribute from the ldap into the control list, and based on its content, I set the correct Airespace-Interface-Name value. At the beginning I was using unlang to match the value, and it works perfectly since 90% of the people only have one attribute. But some people have multiple attributes. So far, that's what I've been using : In virtual server, at the end of authorize {} if (NAS-IP-Address =~ /160\.98\.156\..*/) { $INCLUDE ${confdir}/secure-hefr.policy } secure-hefr.policy content : if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { update reply { Airespace-Interface-Name := wifi_eia-etu } } elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { update reply { Airespace-Interface-Name := wifi_eia-col } } elsif { } [ ... ] Some debug from a user who is multi-valued : server eduroam-inner-tunnel-peap { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch [suffix] Found realm hefr.ch [suffix] Adding Realm = hefr.ch [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] expand: %t - Fri Sep 2 15:45:08 2011 ++[auth_log] returns ok [linelog] expand: %{Packet-Type} - Access-Request [linelog] expand: %{%{Packet-Type}:-format} - Access-Request [linelog] expand: /var/log/freeradius/linelog - /var/log/freeradius/linelog [linelog] expand: Requested access: %{User-Name} - Requested access: didier.perr...@hefr.ch ++[linelog] returns ok ++? if (User-Name =~ /(.*)@.*hefr.ch$/) ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} expand: %{1} - didier.perroud +++[request] returns ok ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok ++[files] returns noop [ldap] performing user authorization for didier.perroud [ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud) [ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=courant,ou=people,o=hefr, with filter (uid=didier.perroud) [ldap] Added the eDirectory password *** in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-HEFR-EIFR-TICO-TLCO-$-RSM [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RACA-TICO-MSEI-MTIC-$-RCA [ldap] looking for reply items in directory... [ldap] hessoRoleMemberKey - Class = 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d [ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341 [ldap] hessoRoleMemberKey - Class = 0x524143412d5449434f2d4d5345492d4d5449432d242d524341 [ldap] user didier.perroud authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...} +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) ? Evaluating (control:HESSO-MEMBER-KEY =~
Re: Question regarding multivalued attributes in control list.
Thanks Arran for those answers, No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or i'll simply fall back to rlm_perl. But not on a friday evening, it will wait till monday! Plus the way you're doing policies is weird. Why don't you just use the policy module (policy.conf)? It'd be way more memory efficient if you're using the same policy multilple times, and you gain the ability to overload module calls... You're right, i'll move this in the policy file, didn't think about it. Regards, Olivier B. -Arran On 2 Sep 2011, at 15:47, Olivier Beytrison wrote: Hello, I'm trying since two week to do some multi-valued attribute checking on my radius infrastructure. I've been looking to checkval, using the users file and such but with no luck. I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local authentication is made against an Novell eDirectory ldap server. I'm fetching a multi-valued attribute from the ldap into the control list, and based on its content, I set the correct Airespace-Interface-Name value. At the beginning I was using unlang to match the value, and it works perfectly since 90% of the people only have one attribute. But some people have multiple attributes. So far, that's what I've been using : In virtual server, at the end of authorize {} if (NAS-IP-Address =~ /160\.98\.156\..*/) { $INCLUDE ${confdir}/secure-hefr.policy } secure-hefr.policy content : if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { update reply { Airespace-Interface-Name := wifi_eia-etu } } elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { update reply { Airespace-Interface-Name := wifi_eia-col } } elsif { } [ ... ] Some debug from a user who is multi-valued : server eduroam-inner-tunnel-peap { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch [suffix] Found realm hefr.ch [suffix] Adding Realm = hefr.ch [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] expand: %t - Fri Sep 2 15:45:08 2011 ++[auth_log] returns ok [linelog] expand: %{Packet-Type} - Access-Request [linelog] expand: %{%{Packet-Type}:-format} - Access-Request [linelog] expand: /var/log/freeradius/linelog - /var/log/freeradius/linelog [linelog] expand: Requested access: %{User-Name} - Requested access: didier.perr...@hefr.ch ++[linelog] returns ok ++? if (User-Name =~ /(.*)@.*hefr.ch$/) ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} expand: %{1} - didier.perroud +++[request] returns ok ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok ++[files] returns noop [ldap] performing user authorization for didier.perroud [ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud) [ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=courant,ou=people,o=hefr, with filter (uid=didier.perroud) [ldap] Added the eDirectory password *** in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-HEFR-EIFR-TICO-TLCO-$-RSM [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RACA-TICO-MSEI-MTIC-$-RCA [ldap] looking for reply items in directory... [ldap] hessoRoleMemberKey - Class = 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d [ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341 [ldap] hessoRoleMemberKey - Class = 0x524143412d5449434f2d4d5345492d4d5449432d242d524341 [ldap] user didier.perroud authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) ?
Re: Question regarding multivalued attributes in control list.
On 2 Sep 2011, at 16:25, Olivier Beytrison wrote: Thanks Arran for those answers, No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or i'll simply fall back to rlm_perl. But not on a friday evening, it will wait till monday! Tentative yes :) It'll only get truly production ready if people test it and report the bugs. But yes, it's good enough to build configs on, and good enough to test. If you do a git-clone then you can establish basic version control with something like: #!/bin/bash cd /usr/local/src/freeradius git pull make clean hash=`git log -n 1 --pretty=format:%h` ./configure --prefix=/usr/local/freeradius-$hash --enable-developer make make install rm /usr/local/freeradius ln -s /usr/local/freeradius-$hash /usr/local/freeradius Once you find a commit that does all you want, stick with it until there's an official 3.x release and then upgrade. For certain fixes you'll be able to use git cherry-pick to pull in individual commits. -Arran -Arran On 2 Sep 2011, at 15:47, Olivier Beytrison wrote: Hello, I'm trying since two week to do some multi-valued attribute checking on my radius infrastructure. I've been looking to checkval, using the users file and such but with no luck. I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local authentication is made against an Novell eDirectory ldap server. I'm fetching a multi-valued attribute from the ldap into the control list, and based on its content, I set the correct Airespace-Interface-Name value. At the beginning I was using unlang to match the value, and it works perfectly since 90% of the people only have one attribute. But some people have multiple attributes. So far, that's what I've been using : In virtual server, at the end of authorize {} if (NAS-IP-Address =~ /160\.98\.156\..*/) { $INCLUDE ${confdir}/secure-hefr.policy } secure-hefr.policy content : if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { update reply { Airespace-Interface-Name := wifi_eia-etu } } elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { update reply { Airespace-Interface-Name := wifi_eia-col } } elsif { } [ ... ] Some debug from a user who is multi-valued : server eduroam-inner-tunnel-peap { # Executing section authorize from file /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap +- entering group authorize {...} ++[mschap] returns noop [suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch [suffix] Found realm hefr.ch [suffix] Adding Realm = hefr.ch [suffix] Authentication realm is LOCAL. ++[suffix] returns ok ++[control] returns ok [eap] EAP packet type response id 11 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 [auth_log] expand: %t - Fri Sep 2 15:45:08 2011 ++[auth_log] returns ok [linelog] expand: %{Packet-Type} - Access-Request [linelog] expand: %{%{Packet-Type}:-format} - Access-Request [linelog] expand: /var/log/freeradius/linelog - /var/log/freeradius/linelog [linelog] expand: Requested access: %{User-Name} - Requested access: didier.perr...@hefr.ch ++[linelog] returns ok ++? if (User-Name =~ /(.*)@.*hefr.ch$/) ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} expand: %{1} - didier.perroud +++[request] returns ok ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok ++[files] returns noop [ldap] performing user authorization for didier.perroud [ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud) [ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=courant,ou=people,o=hefr, with filter (uid=didier.perroud) [ldap] Added the eDirectory password *** in check items as Cleartext-Password [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-HEFR-EIFR-TICO-TLCO-$-RSM [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA [ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RACA-TICO-MSEI-MTIC-$-RCA [ldap] looking for reply items in directory... [ldap] hessoRoleMemberKey - Class =
Re: Question regarding multivalued attributes in control list.
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers [1] http://lists.cistron.nl/pipermail/freeradius-users/2011-June/msg00334.html -- Alexander Clouter .sigmonster says: An algorithm must be seen to be believed. -- D. E. Knuth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
On 2 Sep 2011, at 23:16, Alexander Clouter wrote: Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers Shhh we need more guinea pigs, I mean users... Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html