Re: Setting Class attribute by LDAP Groups
On 07/04/2013 04:35 AM, Patrick Gawthorne wrote:
update request {
Class = “%{Ldap-Group}”
}
You can't do that, because Ldap-Group is not a real attribute with a
value; it's a virtual attribute, which you compare against (think about
it - you can be in 1 group)
You would have to do something like this:
if (Ldap-Group = grp1) {
update reply {
Class = grp1
}
}
...which can be slow-ish as it does 1 LDAP query per comparison.
Also not Class is a reply attribute; adding it to request does nothing.
I did read somewhere if you included the Class variable within the reply
in the Access-Accept packet that it would be sent back and used within
the accounting messages as well but this hasn’t been the case for me.
Well, as noted above you're setting class in request not reply.
Even if it’s just some static variable that I set within the
‘acct_users’ to get it to send the class attribute; this will achieve my
goal.
Assuming that the ‘users’ file and the ‘acct_users’ file have the same
behaviour then why can’t I set Class within the ‘acct_users’ file like I
can with ‘users’ file?
acct_users runs on accounting packets, which is *after* the
Access-Accept has been sent. You need to set it in authorize or better
yet, post-auth, for it to get into the Access-Accept.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting Class attribute by LDAP Groups
On 4 Jul 2013, at 08:22, Phil Mayers p.may...@imperial.ac.uk wrote:
On 07/04/2013 04:35 AM, Patrick Gawthorne wrote:
update request {
Class = “%{Ldap-Group}”
}
You can't do that, because Ldap-Group is not a real attribute with a value;
You can do:
update reply {
Class = %{control:Ldap-Group}
}
In 3.0. Class will then contain the value of the first membership attribute in
the user object, or the first group returned by the LDAP directory if you're
using group objects.
If you have a primary group stored in a different attribute to other group
membership attributes, and that's all you want to return, it may be more
efficient to just use the %{ldap:ldap://} string expansion.
it's a virtual attribute, which you compare against (think about it - you can
be in 1 group)
You would have to do something like this:
if (Ldap-Group = grp1) {
update reply {
Class = grp1
}
}
...which can be slow-ish as it does 1 LDAP query per comparison.
Also not Class is a reply attribute; adding it to request does nothing.
Or use 3.0 which allows you to retrieve all membership info in one operation
(if you store group membership in the user object).
I did read somewhere if you included the Class variable within the reply
in the Access-Accept packet that it would be sent back and used within
the accounting messages as well but this hasn’t been the case for me.
Well, as noted above you're setting class in request not reply.
and this isn't guaranteed. It Depends on your NAS, and even then you should
check for value truncation. Many vendors truncate Class at 253 bytes.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting Class attribute by LDAP Groups
Hello
Currently trying to implement a way to get the Ldap-Group used for checking
(within acct_users) into the Accounting-Request packet as the Class attribute..
I can get it to send a static variable just fine using; (I'm proxying the
account messages)
update request {
Class = Some Variable
}
However I was looking at doing something on the lines of;
update request {
Class = %{Ldap-Group}
}
Also tried defining a custom variable within the dictionary file and setting it
within acct_users however it expands to nothing in preacct section.. I must be
doing something wrong.
I did read somewhere if you included the Class variable within the reply in the
Access-Accept packet that it would be sent back and used within the accounting
messages as well but this hasn't been the case for me.
Even if it's just some static variable that I set within the 'acct_users' to
get it to send the class attribute; this will achieve my goal.
Assuming that the 'users' file and the 'acct_users' file have the same
behaviour then why can't I set Class within the 'acct_users' file like I can
with 'users' file?
Any assistance on this will be greatly appreciated. :)
Cheers,
Pat
This email, together with any attachments, is intended for the named
recipient(s) only and may contain privileged and confidential information. If
received in error, please inform the sender as quickly as possible and delete
this email and any copies from your computer network. If not an intended
recipient of this email, you must not copy, distribute or rely on it, and any
form of disclosure, modification, distribution and/or publication of this email
is prohibited. Unless stated otherwise, this email represents only the views of
the sender and not the views of Pacific Lutheran College.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
