And many requests later you ask about it:
++? if (control:Tmp-String-0 == ldap-student)
(Attribute control:Tmp-String-0 was not found)
.. and it's not there. Of course it's not, since it wasn't
set during processing of that Access-Request but much earlier
in the exchange.
Obvious
Update a server-side attribute when you use the module:
update control {
Tmp-String-0 = ldap-student
}
then in post-auth:
if (control:Tm-String-0 == ldap-student) {
...
}
I'm really grateful for all your help but it still doesn't work and after hours
And I get:
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == ldap-student)
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 129 to 10.127.240.217 port 1645
Towards the beginning of the debug output is:
Can you post the whole debug, not just snipetts. Are these
from the same or from different requests in the exchange?
Perhaps you need use_tunneled_reply rather than this.
Here's the complete debug (excluding the server start-up messages). There's
rather a lot of it which is why I tried to
Here's the complete debug (excluding the server start-up messages). There's
rather a lot of it which is why I tried to post the bits relevant to what I'm
trying (rather unsuccessfully :-) ) to understand.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36,
length=148
..
Now I'm trying to return different reply attributes
depending on Active Directory group membership and restrict
which groups can authenticate. Ldap lookups against the
active directory root fail with operation error.
Reconfiguring Active Directory is not a viable option so I
have to
Leighton Man wrote:
I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
I can't do if Ldap-Group because there is no container in Active Directory
above staff and student to query.
What I think I need is:
if ladp_staff returns ok {
update reply{
see man unlang. The syntax and examples are documented.
Read it many times. The problem is not the documentation, which is great, but
my understanding which isn't!
I'm working on it but finding it heavy going.
...
ldap_staff
if (ok) {
update reply {
...
Leighton Man wrote:
Logic now working correctly - Many thanks
Final problem is to return reply attributes in the access accept message. As
a test I added Reply-Message := User is staff in the update reply section
and the server duly added it to the next access challenge message. I assume I
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply
Am 06.03.2009 um 12:20 schrieb Leighton Man:
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists
(second attempt) so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured
to authenticate against Active Directory using ntlm-auth.
All working
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply
Leighton Man wrote:
Many thanks for this. I'm using 1.1.7 because it's available as a pre-built
package on solaris for both sparc and x86 architectures. The idea is to get
freeradius configured and working as fast as possible so it can be demo'd to
management (I'm trying to retire Cisco
Huh? It compiles on 3-4 different Solaris boxes that I have access to.
Did you run make from the TOP directory, or by cd'ing to src/lib?
Alan DeKok.
Tried gmake from the top directory and gcc -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS
Is there any way to do what I want without upgrading?
You can try users file:
DEFAULT Ldap-Group == staff
some reply
DEFAULT Ldap-Group == student
some other reply
DEFAULT Auth-Type := Reject
That should be at the end of the users file (ie. anything
Leighton Man wrote:
Tried gmake from the top directory and gcc -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS
-I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o
.libs/dict.o (copy and paste from the gmake output) from the
Hmm... would it be possible to have to give *more* output? i.e. start from a
fresh directory:
$ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $
./configure $ gmake
And show the errors (not the dozens of lines saying building foo, or the
last dozen lines saying
17 matches
Mail list logo
