Hello Hugh,
I have noticed the existence of "deref" parameter, but no one is designed to specify what extended attribute you want to get from the dereferenced ones. In the following example, an object of class oscradiusclient contains an attribute "memberof" which is actually a reference to another object (aka a DN). when you run an extended search to get attribute "radiusReplyItem" from the referenced attribute memberof: ldapsearch -Y GSSAPI -E 'deref=memberof:radiusReplyItem' '(objectclass=oscradiusclient)' control memberof You get: # LDAPv3 # base <SUFFIX> (default) with scope subtree # filter: (&(objectclass=oscradiusclient2)) # requesting: control # with dereference control # ipa2.pp-iam.mycorp.net, computers, accounts, pp-iam.mycorp.net dn: fqdn=ipa2.pp-iam.mycorp.net,cn=computers,cn=accounts,SUFFIX memberof: ipaUniqueID=UUID1,cn=hbac,SUFFIX memberof: ipaUniqueID=UUID2,cn=hbac,SUFFIX control: 1.3.6.1.4.1.4203.666.5.16 false <HERE FOLLOWS A BASE64 ENCODED ANSWER> # memberof: <radiusReplyItem=you are authorized with the integrated iam profile1>; ipaUniqueID=UUID1,cn=hbac,SUFFIX # memberof: <radiusReplyItem=you are authorized with the integrated iam profile2>; ipaUniqueID=UUID2,cn=hbac,SUFFIX As you can see, the virtual attribute "control" contains all you have requested in the 'deref=' parameter, in a base64 encoded way. The two following commented lines are merely detailing in a readable form the value of "control". BUT… how to search like this in radiator ? The existence of the parameter "deref" suggest that it is possible, my I do not know how to proceed. No keywords listed un section 3.9.23 seems to be designed for that. Finally, it would be great if you can add support for postSearchHook in ClientListLDAP as a complement of the above possibility to dereference subordinates DN of a search. Is that a feature we could buy ? Best regards Jean-Philippe ________________________________ De : Hugh Irvine <[email protected]> Envoyé : samedi 22 septembre 2018 00:54:22 À : AYANIDES, Jean-Philippe Cc : [email protected] Objet : Re: [RADIATOR] LDAP: dereferencing searches Salut Jean-Philippe - You can use any of the LDAP keywords as listed in section 3.9 of the Radiator 4.21 reference manual (“doc/ref.pdf”). See section 3.9.23 Deref for example. We could also look at adding support for PostSearchHook in ClientListLDAP if required. regards Hugh > On 22 Sep 2018, at 01:57, AYANIDES, Jean-Philippe <[email protected]> > wrote: > > Hello, > > I'd like to use LDAP2 mechanism to get clients attributes from LDAP (with the > directive "clientlistldap"). > > But one of the attribute returned by the ldap search is a DN (syntax > 1.3.6.1.4.1.1466.115.121.1.12) I would like to dereference. > So well, I am looking to the way to dereference that DN, in order to get > attributes from the linked object. > With ldapsearch, I used to run for example: > > ldapsearch -Y GSSAPI -E 'deref=memberof:radiusReplyItem' > '(serverhostname=myNAS)' > > But with LDAP2, I do not know how to do it. There is no keyword similar to > the keyword "filter" designed to add the extending searches... > Can anyone help me ? > > Jean-Philippe > This message contains information that may be privileged or confidential and > is the property of the Capgemini Group. It is intended only for the person to > whom it is addressed. If you are not the intended recipient, you are not > authorized to read, print, retain, copy, disseminate, distribute, or use this > message or any part thereof. If you receive this message in error, please > notify the sender immediately and delete all copies of this > message._______________________________________________ > radiator mailing list > [email protected] > http://lists.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.
_______________________________________________ radiator mailing list [email protected] http://lists.open.com.au/mailman/listinfo/radiator
