Question regarding multivalued attributes in control list.
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class =
0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
[ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341
[ldap] hessoRoleMemberKey - Class =
0x524143412d5449434f2d4d5345492d4d5449432d242d524341
[ldap] user didier.perroud authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE
++? if (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE
++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...}
+++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
? Evaluating (control:HESSO-MEMBER-KEY =~
/RORG-HEFR-EIFR-INTR-INFO-.-RSM/) - FALSE
+++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
- FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ )
? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) - FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) - FALSE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ )
? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) - TRUE
+++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) - TRUE
+++- entering elsif
Re: Question regarding multivalued attributes in control list.
No your check will not iterate over every instance of a value.
In order to do that you'll need to use FreeRADIUS 3.x and use the foreach
unlang construct or perl.
Plus the way you're doing policies is weird. Why don't you just use the policy
module (policy.conf)? It'd be way more memory efficient if you're using the
same policy multilple times, and you gain the ability to overload module
calls...
-Arran
On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class =
0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
[ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341
[ldap] hessoRoleMemberKey - Class =
0x524143412d5449434f2d4d5345492d4d5449432d242d524341
[ldap] user didier.perroud authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE
++? if (NAS-IP-Address =~ /160\.98\.156\..*/) - TRUE
++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...}
+++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ )
? Evaluating (control:HESSO-MEMBER-KEY =~
Re: Question regarding multivalued attributes in control list.
Thanks Arran for those answers,
No your check will not iterate over every instance of a value.
In order to do that you'll need to use FreeRADIUS 3.x and use the foreach
unlang construct or perl.
hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or
i'll simply fall back to rlm_perl. But not on a friday evening, it will
wait till monday!
Plus the way you're doing policies is weird. Why don't you just use the
policy module (policy.conf)? It'd be way more memory efficient if you're
using the same policy multilple times, and you gain the ability to overload
module calls...
You're right, i'll move this in the policy file, didn't think about it.
Regards,
Olivier B.
-Arran
On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class =
0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d
[ldap] hessoRoleMemberKey - Class = 0x524f52472d4d41534f2d242d524341
[ldap] hessoRoleMemberKey - Class =
0x524143412d5449434f2d4d5345492d4d5449432d242d524341
[ldap] user didier.perroud authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (NAS-IP-Address =~ /160\.98\.156\..*/)
?
Re: Question regarding multivalued attributes in control list.
On 2 Sep 2011, at 16:25, Olivier Beytrison wrote:
Thanks Arran for those answers,
No your check will not iterate over every instance of a value.
In order to do that you'll need to use FreeRADIUS 3.x and use the foreach
unlang construct or perl.
hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or
i'll simply fall back to rlm_perl. But not on a friday evening, it will
wait till monday!
Tentative yes :)
It'll only get truly production ready if people test it and report the bugs.
But yes, it's good enough to build configs on, and good enough to test.
If you do a git-clone then you can establish basic version control with
something like:
#!/bin/bash
cd /usr/local/src/freeradius
git pull
make clean
hash=`git log -n 1 --pretty=format:%h`
./configure --prefix=/usr/local/freeradius-$hash --enable-developer
make
make install
rm /usr/local/freeradius
ln -s /usr/local/freeradius-$hash /usr/local/freeradius
Once you find a commit that does all you want, stick with it until there's an
official 3.x release and then upgrade. For certain fixes you'll be able to use
git cherry-pick to pull in individual commits.
-Arran
-Arran
On 2 Sep 2011, at 15:47, Olivier Beytrison wrote:
Hello,
I'm trying since two week to do some multi-valued attribute checking on
my radius infrastructure.
I've been looking to checkval, using the users file and such but with
no luck.
I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local
authentication is made against an Novell eDirectory ldap server.
I'm fetching a multi-valued attribute from the ldap into the control
list, and based on its content, I set the correct
Airespace-Interface-Name value.
At the beginning I was using unlang to match the value, and it works
perfectly since 90% of the people only have one attribute. But some
people have multiple attributes.
So far, that's what I've been using :
In virtual server, at the end of authorize {}
if (NAS-IP-Address =~ /160\.98\.156\..*/) {
$INCLUDE ${confdir}/secure-hefr.policy
}
secure-hefr.policy content :
if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-etu
}
}
elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) {
update reply {
Airespace-Interface-Name := wifi_eia-col
}
}
elsif {
}
[ ... ]
Some debug from a user who is multi-valued :
server eduroam-inner-tunnel-peap {
# Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap
+- entering group authorize {...}
++[mschap] returns noop
[suffix] Looking up realm hefr.ch for User-Name = didier.perr...@hefr.ch
[suffix] Found realm hefr.ch
[suffix] Adding Realm = hefr.ch
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[control] returns ok
[eap] EAP packet type response id 11 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902
[auth_log] expand: %t - Fri Sep 2 15:45:08 2011
++[auth_log] returns ok
[linelog] expand: %{Packet-Type} - Access-Request
[linelog] expand: %{%{Packet-Type}:-format} - Access-Request
[linelog] expand: /var/log/freeradius/linelog -
/var/log/freeradius/linelog
[linelog] expand: Requested access: %{User-Name} - Requested
access: didier.perr...@hefr.ch
++[linelog] returns ok
++? if (User-Name =~ /(.*)@.*hefr.ch$/)
? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++? if (User-Name =~ /(.*)@.*hefr.ch$/) - TRUE
++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...}
expand: %{1} - didier.perroud
+++[request] returns ok
++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok
++[files] returns noop
[ldap] performing user authorization for didier.perroud
[ldap] expand: (uid=%{Stripped-User-Name}) - (uid=didier.perroud)
[ldap] expand: ou=courant,ou=people,o=hefr - ou=courant,ou=people,o=hefr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=courant,ou=people,o=hefr, with filter
(uid=didier.perroud)
[ldap] Added the eDirectory password *** in check items as
Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RORG-HEFR-EIFR-TICO-TLCO-$-RSM
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY == RORG-MASO-$-RCA
[ldap] hessoRoleMemberKey - HESSO-MEMBER-KEY ==
RACA-TICO-MSEI-MTIC-$-RCA
[ldap] looking for reply items in directory...
[ldap] hessoRoleMemberKey - Class =
Re: Question regarding multivalued attributes in control list.
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers [1] http://lists.cistron.nl/pipermail/freeradius-users/2011-June/msg00334.html -- Alexander Clouter .sigmonster says: An algorithm must be seen to be believed. -- D. E. Knuth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question regarding multivalued attributes in control list.
On 2 Sep 2011, at 23:16, Alexander Clouter wrote: Arran Cudbard-Bell a.cudba...@freeradius.org wrote: No your check will not iterate over every instance of a value. In order to do that you'll need to use FreeRADIUS 3.x and use the foreach unlang construct or perl. Last time I checked[1] it seemed trivial to backport to 2.1.x. Cheers Shhh we need more guinea pigs, I mean users... Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
