thanks for your replay
here what i did
in the ldap.attrmap i put
checkItem User-Category eduPersonPrimaryAffiliation
in the user file i did
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
DEFAULT User-Category == "student"
Reply-Message = "Your a member of the student Group",
Tunnel-Private-Group-Id = 902
DEFAULT User-Category == "employee"
Reply-Message = "Your a member of the employee Group",
Tunnel-Private-Group-Id = 903
in the inner-tunnel file i have
authorize {
chap
mschap
uni
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
i got the following logs
........
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} -> doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] eduPersonPrimaryAffiliation -> User-Category == "employee"
[ldap] sambaNtPassword -> NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword -> LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[files] users: Matched entry DEFAULT at line 166
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
......
THe line 166 in my users file is these ones
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
and i don't match the following entries
DEFAULT User-Category == "employee"
Reply-Message = "Your a member of the employee Group",
Tunnel-Private-Group-Id = 903
and i really don't know why
Le 16/09/2010 09:44, Phil Mayers a écrit :
[ldap] expand: dc=int-evry,dc=fr -> dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0
[ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to
ldapdev.int-evry.fr:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword -> LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation -> User-Category = "employee"
Two issues; first, as above you're adding the User-Category item from
LDAP into the reply list, but the "files" syntax doesn't (can't) match
items in the reply this. This:
DEFAULT User-Category == "employee"
means "match all request with the attribute User-Category == employee in
the *request* items"
Secondly, I think you're running LDAP after "files", so even if it could
match, it would not.
Try something like this in sites-available/inner-tunnel:
authorize {
...
ldap
if (reply:User-Category == employee) {
update reply {
Tunnel-Private-Group-Id := 1234
}
}
elsif (reply:User-Category == ...) {
}
}
Or, modify your ldap.attrmap to put the User-Category into the request
items (assuming your NAS doesn't need it) then move the files module
after the ldap one.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html