Re: Confused by doc/variables.txt

2004-05-10 Thread Craig Huckabee 


Alan DeKok wrote:

Craig Huckabee <[EMAIL PROTECTED]> wrote:

However, if I use this:

DEFAULT User-Name =~  "^([^/]+)/(.*)"
   Foo = `%{2}`
...
then attempt to look at Foo using %{reply:Foo}, I get the expected value 
and the filter works.


  Try the original, but look for foo in %{Foo}, or %{request:Foo}

  Alan DeKok.

Doesn't work - both %{Foo} and %{request:Foo} come back empty when 
setting Foo on the check line in users.

:(

Anything else you can think of ?

--Craig

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-10 Thread Alan DeKok 
Craig Huckabee <[EMAIL PROTECTED]> wrote:
> Doesn't work - both %{Foo} and %{request:Foo} come back empty when 
> setting Foo on the check line in users.

  Hmm...

> Anything else you can think of ?

  Try using another attribute.

  Or, follow the code execution in src/modules/rlm_files/rlm_files.c

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-10 Thread Craig Huckabee 


Alan DeKok wrote:

Craig Huckabee <[EMAIL PROTECTED]> wrote:

Doesn't work - both %{Foo} and %{request:Foo} come back empty when 
setting Foo on the check line in users.


  Hmm...


Anything else you can think of ?


  Try using another attribute.

  Or, follow the code execution in src/modules/rlm_files/rlm_files.c

  Alan DeKok.
I may try the latter later on today.  Thanks!

--Craig



--
/ Craig Huckabee|  e-mail: [EMAIL PROTECTED] /
/ Code 715-CH   |   phone: (843) 218 5653   /
/ SPAWAR Systems Center | close proximity: "Hey You!"   /
/ Charleston, SC|ICBM:  32.78N, 79.93W  /
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-05 Thread Kostas Kalevras 
On Tue, 4 May 2004, Craig Huckabee wrote:

>
> Where can the regular expressions discussed in 'doc/variables.txt' be
> used ?  I'd like to modify the User-Name attribute as passed in for use
> as a filter for rlm_ldap.
>
> For example, during an EAP-TLS, I get an EAP packet like this:
>
> NAS-IP-Address = ...
> NAS-Port-Type = Async
> User-Name = "host/g21476.fo.bar"
> Service-Type = Framed-User
> Framed-MTU = 1500
> Calling-Station-Id = ...
> State = ...
> EAP-Message = ...
> Message-Authenticator = ...
>
>
> I'd like to strip off the 'host/' from User-Name and use that as a
> filter in rlm_ldap for the authorize step, like:
>
> ldap {
>   ...
>   User-Name =~ "^([^/]+)/(.*)"
>   filter = "(cn=`%{2}`)"
>  ...
>}
> That fails horribly (cn='') so I'm not sure where those types of regex
> statements can be used in radiusd.conf.

The above won't work. You can't just add the User-Name line in the rlm_ldap
configuration and expect it to work.

You can either use rlm_attr_rewrite to strip the 'host/' part, or probably add
a Hint variable in the users file and use that as the filter:

--users--
DEFAULT User-Name =~ "^([^/]+)/(.*)", Hint := `%{2}`

--radiusd.conf--
ldap {
filter = "(cn=%{check:Hint})"
...
}

>
> Is that possible or am I completely misunderstanding variables.txt ?
> I'm running FreeRADIUS built from CVS as of 4/21/04.
>
> Thanks,
> Craig
>
> PS Forgive the wandering nature of this e-mail, 12+ hours at work...
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-05 Thread Craig Huckabee 


Kostas Kalevras wrote:

The above won't work. You can't just add the User-Name line in the rlm_ldap
configuration and expect it to work.
I didn't expect it to just work, but I wanted to at least try something 
before posting a question.  The documentation isn't as clear as your 
answer so I was grasping at straws.


You can either use rlm_attr_rewrite to strip the 'host/' part, or probably add
a Hint variable in the users file and use that as the filter:
--users--
DEFAULT User-Name =~ "^([^/]+)/(.*)", Hint := `%{2}`
--radiusd.conf--
ldap {
filter = "(cn=%{check:Hint})"
...
}

I tried adding the expression to the users file as you suggest - that 
doesn't appear to work either.  I still end up with a cn='' filter.  Any 
other ideas are greatly appreciated.

Thanks,
Craig
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-05 Thread Kostas Kalevras 
On Wed, 5 May 2004, Craig Huckabee wrote:

>
>
> Kostas Kalevras wrote:
>
> >
> > The above won't work. You can't just add the User-Name line in the rlm_ldap
> > configuration and expect it to work.
>
> I didn't expect it to just work, but I wanted to at least try something
> before posting a question.  The documentation isn't as clear as your
> answer so I was grasping at straws.
>
>
> >
> > You can either use rlm_attr_rewrite to strip the 'host/' part, or probably add
> > a Hint variable in the users file and use that as the filter:
> >
> > --users--
> > DEFAULT User-Name =~ "^([^/]+)/(.*)", Hint := `%{2}`
> >
> > --radiusd.conf--
> > ldap {
> > filter = "(cn=%{check:Hint})"
> > ...
> > }
> >
> >
>
> I tried adding the expression to the users file as you suggest - that
> doesn't appear to work either.  I still end up with a cn='' filter.  Any
> other ideas are greatly appreciated.

The other idea is to use attr_rewrite as already suggested. In any case, make
sure that the files module comes before ldap in the authorize section for the
above to work.

>
> Thanks,
> Craig
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED]   National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-06 Thread Craig Huckabee 


Kostas Kalevras wrote:

The other idea is to use attr_rewrite as already suggested. In any case, make
sure that the files module comes before ldap in the authorize section for the
above to work.
attr_rewrite works but breaks EAP for me :(

I've reattempted using the users file again, and double checked that 
files does indeed come before the ldap sections in the authorize section 
- still get a blank filter.

A debug run shows that files is indeed getting processed, somehow 'Hint' 
is never getting set.  Could my regex be wrong ?

DEFAULT User-Name =~ "^([^/]+)/(.*)", Hint := `%{2}`
Fall-Through = yes
Thanks,
Craig
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-06 Thread Craig Huckabee 
Another data point -

  Trying to follow the examples given in variables.txt and using the 
'users' file, things like:

DEFAULT User-Name =~ "^([^/]+)/(.*)",
Everything = `%{0}`,
Test-Variable = `%{2}`,
Fall-Through = yes
causes a core dump on startup.

--Craig

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-06 Thread Alan DeKok 
Craig Huckabee <[EMAIL PROTECTED]> wrote:
>Trying to follow the examples given in variables.txt and using the 
> 'users' file, things like:
> 
> DEFAULT User-Name =~ "^([^/]+)/(.*)",
>   Everything = `%{0}`,
>   Test-Variable = `%{2}`,
>  Fall-Through = yes
> 
> causes a core dump on startup.

  Cute.  I've fixed it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-07 Thread Craig Huckabee 


Craig Huckabee wrote:

attr_rewrite works but breaks EAP for me :(

I've reattempted using the users file again, and double checked that 
files does indeed come before the ldap sections in the authorize 
section - still get a blank filter.

A debug run shows that files is indeed getting processed, somehow 
'Hint' is never getting set.  Could my regex be wrong ?

DEFAULT User-Name =~ "^([^/]+)/(.*)", Hint := `%{2}`
Fall-Through = yes

Just to follow up to myself, here is the behavior I'm seeing (using 
FreeRADIUS built from CVS yesterday to include Alan's fix - thanks!)

If I use this in the users file:

DEFAULT User-Name =~  "^([^/]+)/(.*)", Foo := `%{2}`
...
then attempt to look at Foo using %{check:Foo} (in radiusd.conf), I get 
nothing - Foo is empty.

However, if I use this:

DEFAULT User-Name =~  "^([^/]+)/(.*)"
   Foo = `%{2}`
...
then attempt to look at Foo using %{reply:Foo}, I get the expected value 
and the filter works.

(note Foo is defined in the dictionary as a custom attribute, wasn't 
100% sure if that was required - using Hint yielded the same results)

So, should 'check:' work for the first case ?  Is this a bug 
or (more likely) something I'm missing from my configuration. 

Thanks in advance and also thanks for the patience while I learn the ins 
and outs of the configuration.

--Craig

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Confused by doc/variables.txt

2004-05-07 Thread Alan DeKok 
Craig Huckabee <[EMAIL PROTECTED]> wrote:
> However, if I use this:
> 
> DEFAULT User-Name =~  "^([^/]+)/(.*)"
> Foo = `%{2}`
> ...
> 
> then attempt to look at Foo using %{reply:Foo}, I get the expected value 
> and the filter works.

  Try the original, but look for foo in %{Foo}, or %{request:Foo}

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html