Re: authorize an user using a multivalue ldap attribute
Thank you very much for your responses. Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. Ok, Kevin, I don't use Data::Dumper and I can run Freeradius with my perl module. My problem is with the hashes that rlm_perl provide to my script ¡rlm_perl add in the reply hash an attribute Relaciones with the value of the attribute Nombre-Completo, and also add Nombre-Completo! Debug: [ldap1] performing user authorization for ana [ldap1] expand: %{Stripped-User-Name} - ana [ldap1] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) - (cn=ana) ... [ldap1] looking for check items in directory... [ldap1] ntPassword - NT-Password == 0x35... [ldap1] looking for reply items in directory... [ldap1] Relaciones - Relaciones += 01 [ldap1] sn - Nombre-Completo = ana WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user ana authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 [ldap1] returns ok ... rlm_perl: Added pair User-Name = ana rlm_perl: Added pair User-Password = rlm_perl: Added pair Intentos-Reject = 1 rlm_perl: Added pair SQL-User-Name = ana rlm_perl: Added pair Stripped-User-Name = ana rlm_perl: Added pair Calling-Station-Id = xxx rlm_perl: Added pair Nombre-Completo = ana rlm_perl: Added pair Relaciones = 01 *rlm_perl: Added pair Relaciones = ana* rlm_perl: Added pair NT-Password = 0x35... rlm_perl: Added pair Simultaneous-Use = 1 rlm_perl: Added pair Ldap-UserDn = ... Than you Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
authorize an user using a multivalue ldap attribute
Hello, I have a string attribute named Relaciones in my ldap. This attribute can have more than one value. Actually I return those values in the reply: Sending Access-Accept of id 229 to X.X.X.X port 32796 Relaciones += -11 Relaciones += 03 Relaciones += -01 I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes Relaciones whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if (%{reply:Relaciones} =~ /^([0-9]{2})/) { } Thanks very much, and sorry for my english. -- Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello again, I have a string attribute named Relaciones in my ldap. This attribute can have more than one value. Actually I return those values in the reply: Sending Access-Accept of id 229 to X.X.X.X port 32796 Relaciones += -11 Relaciones += 03 Relaciones += -01 I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes Relaciones whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if (%{reply:Relaciones} =~ /^([0-9]{2})/) { } maybe I can check the value with a check item: #cat /etc/freeradius/ldap.attrmap checkItem NT-Password ntPassword checkItem RelacionesRelaciones ~= /^([0-9]{2})/ replyItem Nombre-Completosn replyItem Relaciones Relaciones += anyway i test both ideas, but don't work: [ldap] looking for check items in directory... [ldap] ntPassword - NT-Password == 0x3... [ldap1] looking for reply items in directory... [ldap1] Relaciones - Relaciones += -11 [ldap1] Relaciones - Relaciones += 03 [ldap1] Relaciones - Relaciones += -01 WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap1] user XXX authorized to use remote access [ldap1] ldap_release_conn: Release Id: 0 [ldap1] returns ok ? if (fail) ? Evaluating (fail) - FALSE ? if (fail) - FALSE - entering else else {...} +? if (%{reply:Relaciones} =~ /^([0-9]{2})/) expand: %{reply:Relaciones} - -11 ? Evaluating (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE +? if (%{reply:Relaciones} =~ /^([0-9]{2})/) - FALSE - else else returns ok any ideas? thank you very much. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Ana Gallardo wrote: I want to authorize the access only if there is one attibute Relaciones whith a positive value. So I would like to use unlang in authorize module to check all the attributes Relaciones whit a regex, but I don't know how can I check all the attributes, and how can I stop procesing the attributes if I found one wihtout a minus sign. if (%{reply:Relaciones} =~ /^([0-9]{2})/) { You can't really do that with unlang. I suggest using the perl module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
Hello Alan, and thank you for your response. You can't really do that with unlang. I suggest using the perl module. I flow your suggestion and write this: # cat /etc/freeradius/perl/checkRelaciones.pm use strict; use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK); use Data::Dumper; use constantRLM_MODULE_REJECT=0;# /* immediately reject the request */ use constantRLM_MODULE_OK=2;# /* the module is OK, continue */ sub authorize { my $attr; my $valor; while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){ if ($valor =~ /^([0-9]{2})/) { return RLM_MODULE_OK; } } return RLM_MODULE_REJECT; } and I use this in authorize section: authorize{ ... files ... perl expiration ... } but, when I try to run freeradius in debug mode: ... perl { module = /etc/freeradius/perl/checkRelaciones.pm func_authorize = authorize func_authenticate = authenticate func_accounting = accounting func_preacct = preacct func_checksimul = checksimul func_detach = detach func_xlat = xlat func_pre_proxy = pre_proxy func_post_proxy = post_proxy func_post_auth = post_auth func_recv_coa = recv_coa func_send_coa = send_coa } Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 So, I think thah I need to upgrade or something like this. Thank you again. Ana Gallardo Gómez - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) -- Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authorize an user using a multivalue ldap attribute
On 10/22/10 6:25 AM, Jonathan Gazeley wrote: On 22/10/10 13:16, Ana Gallardo wrote: Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64. at /usr/lib/perl/5.10/Data/Dumper.pm line 36 You need to install the Data::Dumper module from your package manager, or from CPAN, or from somewhere else :) Conversely, you could comment out/remove the use Data::Dumper line since you're not using it. It's mainly for debugging and easily printing the entire contents of an object/array/hash/etc. -- Kevin Ehlers Network Engineer University of Oregon signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html