Re: variable problem
my apologies I answered before reading the question. It looks like there is a character that is terminating the search in radiusd.my.modules ldap uid_check { server = "ldap" ... access_attr = "uid" filter="(&(objectClass=posixAccount)(description=remote)(uid=%{Stripped-User-Name:-%{User-Name}}))" ... output from radiusd -X ... modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: Looking up realm "lanl.gov" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "lanl.gov" rlm_realm: Adding Stripped-User-Name = "klg" ... radius_xlat: '(&(objectClass=posixAccount)(description=remote)(uid=klg))' On Tue, 2005-02-15 at 11:22, Mike Sturdee wrote: > In part of my ldap config section, I obtain the gid with an ldap lookup, > then use my ${gid} variable in the groupmembership_filter. Up until > recently I had simply been using %{User-Name}, but now have the need to > use the check for Stripped-User-Name before using User-Name. That works in > everywhere but my gid ldap lookup. I included my groupmembership_filter > line just to show the context of the ${gid} use. > > Any pointers to what I may need to do differently is appreciated. > > -- > > FreeRADIUS Version 1.1.0-pre0, for host i386-unknown-freebsd5.3, built on > Dec 17 2004 at 12:56:19 > > -- > # radiusd.conf > > gid = %{ldap1:ldap:///dc=domain,dc=com?gidNumber?sub?\ > (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=%{Realm}))} > > groupname_attribute = cn > groupmembership_filter = > "(&(objectClass=posixGroup)(|(gidNumber=${gid})(memberUid=%{Stripped-User-Name:-%{User-Name}})))" > > -- > # debugging output > > --snip-- > > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'dc=domain,dc=com' > radius_xlat: Running registered xlat function of module ldap1 for string > 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=%{Stripped-User-Name' > rlm_ldap: - ldap_xlat > radius_xlat: 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=mike' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in dc=domain,dc=com, with filter > (&(uid=mike > rlm_ldap: ldap_search() failed: Bad search filter: (&(uid=mike > rlm_ldap: Search returned error > > --snip-- > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variable problem
The %{Stripped-User-Name... is being set in the suffix portion of the authorize section so I added one in front of where I was doing the ldap uid checking re: In radiusd.conf I put authorize { preprocess auth_log $INCLUDE ${raddbdir}/radiusd.my.authorize chap mschap suffix ntdomain ... in radiusd.my.authorize I have #authorize { #section # preprocess #(in radiusd.conf) # auth_log #(in radiusd.conf) # group { redundant { ip_check ip_check_backup } mac_check { fail = 1 } suffix redundant { uid_check uid_check_backup ... On Tue, 2005-02-15 at 11:22, Mike Sturdee wrote: > In part of my ldap config section, I obtain the gid with an ldap lookup, > then use my ${gid} variable in the groupmembership_filter. Up until > recently I had simply been using %{User-Name}, but now have the need to > use the check for Stripped-User-Name before using User-Name. That works in > everywhere but my gid ldap lookup. I included my groupmembership_filter > line just to show the context of the ${gid} use. > > Any pointers to what I may need to do differently is appreciated. > > -- > > FreeRADIUS Version 1.1.0-pre0, for host i386-unknown-freebsd5.3, built on > Dec 17 2004 at 12:56:19 > > -- > # radiusd.conf > > gid = %{ldap1:ldap:///dc=domain,dc=com?gidNumber?sub?\ > (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=%{Realm}))} > > groupname_attribute = cn > groupmembership_filter = > "(&(objectClass=posixGroup)(|(gidNumber=${gid})(memberUid=%{Stripped-User-Name:-%{User-Name}})))" > > -- > # debugging output > > --snip-- > > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'dc=domain,dc=com' > radius_xlat: Running registered xlat function of module ldap1 for string > 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=%{Stripped-User-Name' > rlm_ldap: - ldap_xlat > radius_xlat: 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=mike' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in dc=domain,dc=com, with filter > (&(uid=mike > rlm_ldap: ldap_search() failed: Bad search filter: (&(uid=mike > rlm_ldap: Search returned error > > --snip-- > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variable problem
In part of my ldap config section, I obtain the gid with an ldap lookup, then use my ${gid} variable in the groupmembership_filter. Up until recently I had simply been using %{User-Name}, but now have the need to use the check for Stripped-User-Name before using User-Name. That works in everywhere but my gid ldap lookup. I included my groupmembership_filter line just to show the context of the ${gid} use. Any pointers to what I may need to do differently is appreciated. -- FreeRADIUS Version 1.1.0-pre0, for host i386-unknown-freebsd5.3, built on Dec 17 2004 at 12:56:19 -- # radiusd.conf gid = %{ldap1:ldap:///dc=domain,dc=com?gidNumber?sub?\ (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=%{Realm}))} groupname_attribute = cn groupmembership_filter = "(&(objectClass=posixGroup)(|(gidNumber=${gid})(memberUid=%{Stripped-User-Name:-%{User-Name}})))" -- # debugging output --snip-- rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=domain,dc=com' radius_xlat: Running registered xlat function of module ldap1 for string 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=%{Stripped-User-Name' rlm_ldap: - ldap_xlat radius_xlat: 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=mike' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (&(uid=mike rlm_ldap: ldap_search() failed: Bad search filter: (&(uid=mike rlm_ldap: Search returned error --snip-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html