Re: Mapping ldap attribute with radius attribute...howto?
Hi Alan, Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. I searched the following thread for ldap multiple attributes but it did not have right logic without changing data. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19275.html As we do not control the change of ldap data as it is legacy. For ldap multiple attributes I am getting ONLY first value. rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test1 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test2 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test3 rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 21 to 216.2.193.1 port 20070 rEntitlements = test1 rCidx = 11 Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. Attributes between 1 and 255 can go into a packet. Attributes greater than that cannot go into a packet. You will need to define a vendor-specific dictionary for your attribute. See share/dictionary.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Eric Martell wrote: Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. raddb/ldap.attrmap See the operator field, which is an operator just like in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Hi Alan, Thanks so much. Really appreciated. It works ! One more simple/stupid question regarding duplicate entries in the LDAP. We have scenarios when one PC gets transfered to other user, we don't delete the registered MAC address of the previous PC. The other new user still able to register with the previous user's existing PC MAC address one more time. Thus the scenario of duplicate entries in LDAP. If there a way when ldap query (irrespective of how I use) finds multiple resultset, gets the first result and returns success instead of sending reject. The dn is not the uid as ldap tree is structured with roleid as dn and uid/did is an attribute. Also changing ldap tree is not possible. Please let me know. Thanks in advance. Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: Can you please reply me about LDAP multiple attributes in the radius reply response on this? Will really appreciated. raddb/ldap.attrmap See the operator field, which is an operator just like in the users file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Eric Martell wrote: If there a way when ldap query (irrespective of how I use) finds multiple resultset, gets the first result and returns success instead of sending reject. Edit the source code to rlm_ldap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mapping ldap attribute with radius attribute...howto?
Hi,
I mapped my ldap attribute in the ldap.attrmap file as
replyItem rCidx roleid
And in the dictionary file I mapped it as
ATTRIBUTE rCidx 3000string
I am using NTRadPing to test the authorization.
I see in the log, radius attribute is mapped to ldap attribute and returning
valid value
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11
but I did not see it in the Sending Access-Accept reply to NAS.
I read rlm_ldap doc but not quite sure how to configure this. Please help.
Thanks and Regards.
rad_recv: Access-Request packet from host 216.2.193.1 port 42523, id=2,
length=34
User-Name = 0014F846C199
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = 0014F846C199, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 0014F846C199
expand: %{Stripped-User-Name} -
expand: %{User-Name} - 0014F846C199
expand: ((did=%{%{Stripped-User-Name}:-%{User-Name}})) -
((did=0014F846C199))
expand: ou=roles,o=entitlement - ou=roles,o=entitlement
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap://e.net:1389, authentication 0
rlm_ldap: bind as uid=appuser,ou=appadm,o=entitlement/ to ldap://e.net:1389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=roles,o=entitlement, with filter
((did=0014F846C199))
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute radiusAuthType as RADIUS attribute Auth-Type == Accept
rlm_ldap: looking for reply items in directory...
rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
rlm_ldap: user 0014F846C199 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0)
Sending Access-Accept of id 2 to 216.2.193.1 port 42523
Finished request 0.
Going to the next request
Waking up in 0.9 seconds.
Waking up in 4.0 seconds.
Cleaning up request 0 ID 2 with timestamp +3
Ready to process requests.
-
You rock. That's why Blockbuster's offering you one month of Blockbuster Total
Access, No Cost.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Eric Martell wrote: I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. Attributes between 1 and 255 can go into a packet. Attributes greater than that cannot go into a packet. You will need to define a vendor-specific dictionary for your attribute. See share/dictionary.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mapping ldap attribute with radius attribute...howto?
Thanks so much Alan. Really Appreciated your help. It did work for single return value. Please check the log. I searched the following thread for multiple attributes but it did not have right logic without changing data. http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg19275.html As we do not control the change of ldap data as it is legacy. For ldap multiple attributes I am getting ONLY first value. rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test1 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test2 rlm_ldap: LDAP attribute entitlements as RADIUS attribute rEntitlements = test3 rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user 0014F846C199 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user Login OK: [0014F846C199/via Auth-Type = Accept] (from client samir port 0) Sending Access-Accept of id 21 to 216.2.193.1 port 20070 rEntitlements = test1 rCidx = 11 Alan DeKok [EMAIL PROTECTED] wrote: Eric Martell wrote: I am using NTRadPing to test the authorization. I see in the log, radius attribute is mapped to ldap attribute and returning valid value rlm_ldap: LDAP attribute roleid as RADIUS attribute rCidx = 11 but I did not see it in the Sending Access-Accept reply to NAS. Attributes between 1 and 255 can go into a packet. Attributes greater than that cannot go into a packet. You will need to define a vendor-specific dictionary for your attribute. See share/dictionary.* Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - OMG, Sweet deal for Yahoo! users/friends: Get A Month of Blockbuster Total Access, No Cost. W00t- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
