Re: variable problem
my apologies I answered before reading the question. It looks like there
is a character that is terminating the search
in radiusd.my.modules
ldap uid_check {
server = "ldap"
...
access_attr = "uid"
filter="(&(objectClass=posixAccount)(description=remote)(uid=%{Stripped-User-Name:-%{User-Name}}))"
...
output from radiusd -X
...
modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: Looking up realm "lanl.gov" for User-Name =
"[EMAIL PROTECTED]"
rlm_realm: Found realm "lanl.gov"
rlm_realm: Adding Stripped-User-Name = "klg"
...
radius_xlat:
'(&(objectClass=posixAccount)(description=remote)(uid=klg))'
On Tue, 2005-02-15 at 11:22, Mike Sturdee wrote:
> In part of my ldap config section, I obtain the gid with an ldap lookup,
> then use my ${gid} variable in the groupmembership_filter. Up until
> recently I had simply been using %{User-Name}, but now have the need to
> use the check for Stripped-User-Name before using User-Name. That works in
> everywhere but my gid ldap lookup. I included my groupmembership_filter
> line just to show the context of the ${gid} use.
>
> Any pointers to what I may need to do differently is appreciated.
>
> --
>
> FreeRADIUS Version 1.1.0-pre0, for host i386-unknown-freebsd5.3, built on
> Dec 17 2004 at 12:56:19
>
> --
> # radiusd.conf
>
> gid = %{ldap1:ldap:///dc=domain,dc=com?gidNumber?sub?\
> (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=%{Realm}))}
>
> groupname_attribute = cn
> groupmembership_filter =
> "(&(objectClass=posixGroup)(|(gidNumber=${gid})(memberUid=%{Stripped-User-Name:-%{User-Name}})))"
>
> --
> # debugging output
>
> --snip--
>
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'dc=domain,dc=com'
> radius_xlat: Running registered xlat function of module ldap1 for string
> 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=%{Stripped-User-Name'
> rlm_ldap: - ldap_xlat
> radius_xlat: 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=mike'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=domain,dc=com, with filter
> (&(uid=mike
> rlm_ldap: ldap_search() failed: Bad search filter: (&(uid=mike
> rlm_ldap: Search returned error
>
> --snip--
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variable problem
The %{Stripped-User-Name... is being set in the suffix portion of the
authorize section so I added one in front of where I was doing the ldap
uid checking re:
In radiusd.conf I put
authorize {
preprocess
auth_log
$INCLUDE ${raddbdir}/radiusd.my.authorize
chap
mschap
suffix
ntdomain
...
in radiusd.my.authorize I have
#authorize { #section
# preprocess #(in radiusd.conf)
# auth_log #(in radiusd.conf)
#
group {
redundant {
ip_check
ip_check_backup
}
mac_check {
fail = 1
}
suffix
redundant {
uid_check
uid_check_backup
...
On Tue, 2005-02-15 at 11:22, Mike Sturdee wrote:
> In part of my ldap config section, I obtain the gid with an ldap lookup,
> then use my ${gid} variable in the groupmembership_filter. Up until
> recently I had simply been using %{User-Name}, but now have the need to
> use the check for Stripped-User-Name before using User-Name. That works in
> everywhere but my gid ldap lookup. I included my groupmembership_filter
> line just to show the context of the ${gid} use.
>
> Any pointers to what I may need to do differently is appreciated.
>
> --
>
> FreeRADIUS Version 1.1.0-pre0, for host i386-unknown-freebsd5.3, built on
> Dec 17 2004 at 12:56:19
>
> --
> # radiusd.conf
>
> gid = %{ldap1:ldap:///dc=domain,dc=com?gidNumber?sub?\
> (&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=%{Realm}))}
>
> groupname_attribute = cn
> groupmembership_filter =
> "(&(objectClass=posixGroup)(|(gidNumber=${gid})(memberUid=%{Stripped-User-Name:-%{User-Name}})))"
>
> --
> # debugging output
>
> --snip--
>
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'dc=domain,dc=com'
> radius_xlat: Running registered xlat function of module ldap1 for string
> 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=%{Stripped-User-Name'
> rlm_ldap: - ldap_xlat
> radius_xlat: 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=mike'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=domain,dc=com, with filter
> (&(uid=mike
> rlm_ldap: ldap_search() failed: Bad search filter: (&(uid=mike
> rlm_ldap: Search returned error
>
> --snip--
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variable problem
In part of my ldap config section, I obtain the gid with an ldap lookup,
then use my ${gid} variable in the groupmembership_filter. Up until
recently I had simply been using %{User-Name}, but now have the need to
use the check for Stripped-User-Name before using User-Name. That works in
everywhere but my gid ldap lookup. I included my groupmembership_filter
line just to show the context of the ${gid} use.
Any pointers to what I may need to do differently is appreciated.
--
FreeRADIUS Version 1.1.0-pre0, for host i386-unknown-freebsd5.3, built on
Dec 17 2004 at 12:56:19
--
# radiusd.conf
gid = %{ldap1:ldap:///dc=domain,dc=com?gidNumber?sub?\
(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=%{Realm}))}
groupname_attribute = cn
groupmembership_filter =
"(&(objectClass=posixGroup)(|(gidNumber=${gid})(memberUid=%{Stripped-User-Name:-%{User-Name}})))"
--
# debugging output
--snip--
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=domain,dc=com'
radius_xlat: Running registered xlat function of module ldap1 for string
'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=%{Stripped-User-Name'
rlm_ldap: - ldap_xlat
radius_xlat: 'ldap:///dc=domain,dc=com?gidNumber?sub?(&(uid=mike'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter
(&(uid=mike
rlm_ldap: ldap_search() failed: Bad search filter: (&(uid=mike
rlm_ldap: Search returned error
--snip--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
