Thanks for the tip. The problem was that I left the ldap module statement out of the authorize section of the config file. Once that is fixed, it doesn't appear to matter what I put in the users file. Whether I leave the lines in or take them out, the resulting reply items to the radius client are the same. But it's a lot cleaner without them. So it seems that all one needs to do is set DEFAULT Auth-Type := ldap and not fall through and assign all attributes via ldap for a nice default configuration, right?
Thanks, Mike -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kostas Kalevras Sent: Wednesday, June 26, 2002 2:25 AM To: [EMAIL PROTECTED] Subject: Re: assigning ldap variables in the reply On Mon, 24 Jun 2002, Mike Denka wrote: > > > I'm sorry that this question seems so elementary, but I can't find > documentation to tell me what I need to know. If it's in doc/rlm_ldap I > can't find it. Anyway, the simple question is: How do I forward values > obtained from ldap attributes in a user entry on to the NAS/RAS? > > I can authenticate fine via freeradius and ldap, but when I try to pass > a Framed IP Address, Framed Netmask and Framed Route to the NAS, it > chokes because the values are bogus. Here's my entry in the users file: > > DEFAULT Auth-Type := ldap > Fall-Through = Yes > > DEFAULT Service-Type == Framed-User > Framed-IP-Address = radiusFramedIPAddress, > Framed-IP-Netmask = radiusFramedIPNetmask, > Framed-Route = radiusFramedRoute, > . > . > . The mapping between radius and ldap attributes is done in the ldap.attrmap file not in the users file. Just remove the above lines and everything should work fine. Make sure though that you have included the ldap module in your authorize section in radiusd.conf. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf > > Ldap entries look like this: > > dn: uid=customer,ou=people,dc=isp,dc=com > objectClass: uidObject > objectClass: posixAccount > objectClass: radiusprofile > . > . > . > radiusFramedIPAddress: 192.168.0.1 > radiusFramedIPNetmask: 255.255.255.252 > radiusFramedRoute: "192.168.0.0 192.168.0.2 1" > . > . > > When I examine debug output from the radius server, it shows me that it > is sending to the NAS: > > Framed-IP-Address = radiusFramedIPAddress instead of > Framed-IP-Address = 192.168.0.1 > > Framed-IP-Netmask = radiusFramedIPNetmask instead of > Framed-IP-Netmask = 255.255.255.252 > > Framed-Route = "radiusFramedRoute" # (quotations are in the > debug output, not mine) instead of > Framed-Route = "192.168.0.0 192.168.0.2 1" > > And so on. > > In other words, the ldap attributes aren't being translated. When I > sniff the network and actually look at the packets being sent to the > NAS, the Framed-IP-Address and netmask are both 255.255.255.255 and the > value for Framed Route is actually "radiusFramedRoute", not the value > assigned to that attribute in the associated entry. > > I know this is basic stuff, but I can't find it documented anywhere. > Perhaps someone could point me to docs beyond those in the distribution > too. > > Thanks, > > Mike > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
