Re: authorize an user using a multivalue ldap attribute
Thank you very much for your responses.
Conversely, you could comment out/remove the use Data::Dumper line
since you're not using it. It's mainly for debugging and easily
printing the entire contents of an object/array/hash/etc.
Ok, Kevin, I don't use Data::Dumper and I can run Freeradius with my perl
module.
My problem is with the hashes that rlm_perl provide to my script ¡rlm_perl
add in the reply hash an attribute Relaciones with the value of the
attribute Nombre-Completo, and also add Nombre-Completo!
Debug:
[ldap1] performing user authorization for ana
[ldap1] expand: %{Stripped-User-Name} - ana
[ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana)
...
[ldap1] looking for check items in directory...
[ldap1] ntPassword - NT-Password == 0x35...
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += 01
[ldap1] sn - Nombre-Completo = ana
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user ana authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
...
rlm_perl: Added pair User-Name = ana
rlm_perl: Added pair User-Password =
rlm_perl: Added pair Intentos-Reject = 1
rlm_perl: Added pair SQL-User-Name = ana
rlm_perl: Added pair Stripped-User-Name = ana
rlm_perl: Added pair Calling-Station-Id = xxx
rlm_perl: Added pair Nombre-Completo = ana
rlm_perl: Added pair Relaciones = 01
*rlm_perl: Added pair Relaciones = ana*
rlm_perl: Added pair NT-Password = 0x35...
rlm_perl: Added pair Simultaneous-Use = 1
rlm_perl: Added pair Ldap-UserDn = ...
Than you
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorize an user using a multivalue ldap attribute
Hello,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
}
Thanks very much, and sorry for my english.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello again,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
}
maybe I can check the value with a check item:
#cat /etc/freeradius/ldap.attrmap
checkItem NT-Password ntPassword
checkItem RelacionesRelaciones ~= /^([0-9]{2})/
replyItem Nombre-Completosn
replyItem Relaciones Relaciones +=
anyway i test both ideas, but don't work:
[ldap] looking for check items in directory...
[ldap] ntPassword - NT-Password == 0x3...
[ldap1] looking for reply items in directory...
[ldap1] Relaciones - Relaciones += -11
[ldap1] Relaciones - Relaciones += 03
[ldap1] Relaciones - Relaciones += -01
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap1] user XXX authorized to use remote access
[ldap1] ldap_release_conn: Release Id: 0
[ldap1] returns ok
? if (fail)
? Evaluating (fail) - FALSE
? if (fail) - FALSE
- entering else else {...}
+? if (%{reply:Relaciones} =~ /^([0-9]{2})/)
expand: %{reply:Relaciones} - -11
? Evaluating (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE
+? if (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE
- else else returns ok
any ideas?
thank you very much.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Ana Gallardo wrote:
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize
module to check all the attributes Relaciones whit a regex, but I
don't know how can I check all the attributes, and how can I stop
procesing the attributes if I found one wihtout a minus sign.
if (%{reply:Relaciones} =~ /^([0-9]{2})/) {
You can't really do that with unlang. I suggest using the perl module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello Alan, and thank you for your response.
You can't really do that with unlang. I suggest using the perl module.
I flow your suggestion and write this:
# cat /etc/freeradius/perl/checkRelaciones.pm
use strict;
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK);
use Data::Dumper;
use constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
my $attr;
my $valor;
while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){
if ($valor =~ /^([0-9]{2})/) {
return RLM_MODULE_OK;
}
}
return RLM_MODULE_REJECT;
}
and I use this in authorize section:
authorize{
...
files
...
perl
expiration
...
}
but, when I try to run freeradius in debug mode:
...
perl {
module = /etc/freeradius/perl/checkRelaciones.pm
func_authorize = authorize
func_authenticate = authenticate
func_accounting = accounting
func_preacct = preacct
func_checksimul = checksimul
func_detach = detach
func_xlat = xlat
func_pre_proxy = pre_proxy
func_post_proxy = post_proxy
func_post_auth = post_auth
func_recv_coa = recv_coa
func_send_coa = send_coa
}
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
at /usr/lib/perl/5.10/Data/Dumper.pm line 36
So, I think thah I need to upgrade or something like this.
Thank you again.
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 10/22/10 6:25 AM, Jonathan Gazeley wrote: On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. -- Kevin Ehlers Network Engineer University of Oregon signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
