Set reply attributes based on LDAP attribute

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Set reply attributes based on LDAP attribute

aidanr
Hi,

I am trying to configure freeradius 2.1.12 to set the 'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP.

I have pulled the variable form LDAP and am storing it as a local Radius variable called 'Person-OrgUnit'.  In the users file I am trying to check it's value and set other attributes based on its value.

example:

DEFAULT Person-OrgUnit == "1122"
       Tunnel-Type             = VLAN,
       Tunnel-Medium-Type      = 802,
       Tunnel-Private-Group-ID = 1111

From what I can see in the freeradius debug mode, is its being skipped completely.  My old configuration which used the Ldap-Group attribute works correctly, but I need to change over to this other attribute due to an internal issue.  An example of the old configuration is below:

DEFAULT ldap_central-Ldap-Group == "Hosted"
       Tunnel-Type             = VLAN,
       Tunnel-Medium-Type      = 802,
       Tunnel-Private-Group-ID = 1107

I have looked at using rlm_checkval but I am seeing

'rlm_checkval: Could not find item named Person-OrgUnit in request'

in the logs.  I do not think this module is designed to do what I want.

--

What is the best way for me to check this radius CheckItem variable and based on its value, set additional attributes?

Thank you,
| Threaded
Open this post in threaded view
|

Re: Set reply attributes based on LDAP attribute

Alan DeKok-2
aidanr wrote:
> I am trying to configure freeradius 2.1.12 to set the
> 'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP.

  That should be easy.

> I have pulled the variable form LDAP and am storing it as a local Radius
> variable called 'Person-OrgUnit'.  In the users file I am trying to check
> it's value and set other attributes based on its value.

  That's not really easy.  The "users" file does comparisons on request
attributes or configuration attributes.

  You probably want to use unlang.  It's much simpler, and you can
directly address the attributes you need.

> I have looked at using rlm_checkval but I am seeing
> 'rlm_checkval: Could not find item named Person-OrgUnit in request'  
> in the logs.  I do not think this module is designed to do what I want.

  Exactly.  It's also why the "users" file doesn't work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Set reply attributes based on LDAP attribute

A.L.M.Buxey
In reply to this post by aidanr
Hi,

> I am trying to configure freeradius 2.1.12 to set the
> 'Tunnel-Private-Group-Id' attribute based on a value retrieved from LDAP.

use unlang - either completely to do the work...or to populate
the packet so that other modules can use it e.g.

if (Person-OrgUnit) {
        update request {
                Person-OrgUnit := %{Person-OrgUnit}
        }
}

or somesuch...in the authorize section straight after your LDAP
call. this would assume you've added such a local name to the dictionary...
there are a few local/non reserved variables you can use..

- I'd personally use unlang or PERL to just do the work directly
as then you dont need to play with dictionaries etc eg

if ("%{Person-OrgUnit}" == "1122") {
        update reply {
        Tunnel-Type             = "VLAN"
        Tunnel-Medium-Type      = "802"
        Tunnel-Private-Group-ID = "1111"
                }
        }

do this in eg the post-auth section of the server


dont take my unlang as verbatim...its quickly typed out as a rough
pointer...your mileage and requirements may vary ;-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Set reply attributes based on LDAP attribute

aidanr
Thank you both for the quick replies.  I ended up using a switch statement to determine which Tunnel-Private-Group-ID the person requires.

Now to try and test this to ensure its working for all users.

Thanks again