Version: FreeRADIUS 2.0.4
I read the configuration file comments, searched the
forums, and even read the source code for rlm_checkval,
but am still having trouble getting it working the way
I think it should. I am somewhat new to this, so perhaps
I missed something obvious.
I have an LDAP database. I do have LDAP authentication
working without checkval.
In the LDAP database, we have an attribute named 'host' that
is meant to be a list of NAS IP addresses. This attribute is
of type string and multi-valued.
A sample LDAP entry might look something like this:
dn: uid=testuser,ou=people,o=company
host: 192.168.0.1
host: 192.168.0.2
host: 192.168.0.3
I added this to the ldap.attrmap file:
checkItem NAS-IP-Address host
and then added this to the radiusd.conf file:
checkval hostaccess {
item-name = NAS-IP-Address
check-name = NAS-IP-Address
data-type = string
notfound-reject = yes
}
and then added 'hostaccess' after 'ldap'
in the authorize section of
sites-available/default file.
When I perform a test (like this):
radtest testuser testpass localhost 10 testing123
I get the following 'radiusd -X' output:
[...]
Listening on authentication address * port 1812
Listening on accounting address * port 1813
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 192.168.0.1
NAS-Port = 10
[...]
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,o=unt, with
filter (uid=testuser)
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute host as RADIUS attribute
NAS-IP-Address == 192.168.0.1
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.
Are you sure that the user is configured correctly?
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_checkval: Item Name: NAS-IP-Address, Value: ????
rlm_checkval: Value Name: NAS-IP-Address, Value: 192.168.0.1
rlm_checkval: Value Name: NAS-IP-Address, Value: 192.168.0.2
rlm_checkval: Value Name: NAS-IP-Address, Value: 192.168.0.3
++[hostaccess] returns reject
Invalid user (rlm_checkval: This NAS-IP-Address is not allowed
for the user): [testuser/testpass] (from client localhost port 10)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 2 seconds
[...]
The "Item Name: NAS-IP-Address, Value: ????" bothered me a bit.
I don't understand what that means. I think that should show the
value from the Access-Request message, but "????" did not make
any sense. There is a value present in the request, otherwise it
would reject for a missing VP. The value is clearly there.
Now I tried changing to 'data-type = ipaddr' in the checkval
configuration, but that seems to be ignored in the source code.
The source code seems to compare only string, octet, date, and
integer and ignores other types simply returning noop.
How should I correctly check that the NAS-IP-Address is listed in
the LDAP database's 'host' attribute?
Respectfully,
Yancey
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
