On Tue, 2002-11-12 at 03:51, Alan DeKok wrote:
> Malcolm Caldwell <[EMAIL PROTECTED]> wrote:
> > This works find but it does not give the level of redundancy I wish. I
> > have tried to use conditional syntax for the xlats:
> >
> > sql_user_name =
>%{serverXldap:ldap:///o=abc?uid?sub?(|(uid=%{User-Name})(cn=%{User-Name})):-%{serverYldap:ldap:///o=abc?uid?sub?(|(uid=%{User-Name})(cn=%{User-Name}))}:-%{User-Name}}
> >
> > This does not work - I end up with usernameusername:-username
>
> Uh.. for what? Can you post examples, and output of debugging,
> instead of edited summaries?
Sure (I will still edit my server names, passwords etc)
I am authenticating via ldap and accounting via sql. I have two
redundant ldap servers. Users can log in using either the full cn or
uid.
radiusd.conf:
...
modules {
...
ldap serverXldap {
server = "serverX.abc.com"
basedn = "o=abc"
filter = "(|(uid=%{User-Name})(cn=%{User-Name}))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
ldap serverYldap {
server = "serverY.abc.com"
basedn = "o=abc"
filter = "(|(uid=%{User-Name})(cn=%{User-Name}))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
}
...
$INCLUDE ${confdir}/sql.conf
...
}
authorize {
preprocess
suffix
redundant {
serverXldap
serverYldap
}
files
testquota
}
authenticate {
unix
authtype LDAP {
redundant {
serverXldap
serverYldap
}
}
authtype SMB {
smb
}
}
My sql.conf is fairly close to the original. I will not post it all
here.
What I will show is:
sql_user_name =
%{serverXldap:ldap:///o=abc?uid?sub?(|(uid=%{User-Name})(cn=%{User-Name})):-%{serverYldap:ldap:///o=abc?uid?sub?(|(uid=%{User-Name})(cn=%{User-Name}))}:-%{User-Name}}
What I am trying to achieve with this is that regardless of what the
users logs in
as (uid or cn) put the uid in the database. To do this I try to:
ldap query serverX and find uid.
If it is not defined query serverY and find uid.
If both fail fall back to inserting the User-Name as
supplied by the user
Here is the relevant section of a debug log:
radius_xlat: Running registered xlat function of module brolgaldap for
string 'ldap:///o=abc?uid?sub?(|(uid=%{User-Name})(cn=%{User-Name}))'
rlm_ldap: - ldap_xlat
radius_xlat: 'ldap:///o=abc?uid?sub?(|(uid=test)(cn=test))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=abc, with filter (|(uid=test)(cn=test))
rlm_ldap: Adding attribute uid, value: test
ldap_release_conn: Release Id: 0
rlm_ldap: - ldap_xlat end
radius_xlat: Running registered xlat function of module serverYldap for
string 'ldap:///o=abc?uid?sub?(|(uid=%{User-Name})(cn=%{User-Name}))'
rlm_ldap: - ldap_xlat
radius_xlat: 'ldap:///o=abc?uid?sub?(|(uid=test)(cn=test))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=abc, with filter (|(uid=test)(cn=test))
rlm_ldap: Adding attribute uid, value: test
ldap_release_conn: Release Id: 0
rlm_ldap: - ldap_xlat end
radius_xlat: 'testtest:-test'
sql_set_user: escaped user --> 'testtest:-test'
My problems are thus:
First - The user name I want is 'test'. It would seem I cannot use
conditionals for xlat.
Second - is there a better way to do ldap xlats with redundant servers?
Of note - If I try ldap:ldap:///o=abc... I get
WARNING: Attempt to use unknown xlat function or attribute in string
%{ldap:ldap:///o=abc?uid?sub?(|(uid=%{User-Name})(cn=%{User-Name}))}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html