unlang - delete attribute - !*

2013-10-09 Thread Hachmer, Tobias 
Hello list,

I want to delete one reply attribute from the reply list if the access-request 
is originating not from a special NAS-IP-Address.

Currently I have solved this by adding this unlang code in authorize section:

if(!NAS-IP-Address == x.x.x.x) {
update reply {
Aruba-Admin-Role := 
}
}

The man page of unlang says:
!* Delete all occurances of the named attribute, no matter what the value.

I think this is the better way than just to clear the attribute value. But how 
can I use this, what's the correct syntax?

I have tested the following without success:

Aruba-Admin-Role !* 
Aruba-Admin-Role !*
!* Aruba-Admin-Role

Thanks in advance,

Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: unlang - delete attribute - !*

2013-10-09 Thread Hachmer, Tobias 
Hello Arran,

thanks for the answer. This has worked!

Regards,
Tobias Hachmer


-Ursprüngliche Nachricht-
Von: 
freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org 
[mailto:freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org]
 Im Auftrag von Arran Cudbard-Bell
Gesendet: Mittwoch, 9. Oktober 2013 08:22
An: FreeRadius users mailing list
Betreff: Re: unlang - delete attribute - !*


On 9 Oct 2013, at 07:05, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de 
wrote:

 Hello list,
  
 I want to delete one reply attribute from the reply list if the 
 access-request is originating not from a special NAS-IP-Address.
  
 Currently I have solved this by adding this unlang code in authorize section:
  
 if(!NAS-IP-Address == x.x.x.x) {
 update reply {
 Aruba-Admin-Role := 
 }
 }
  
 The man page of unlang says:
 !* Delete all occurances of the named attribute, no matter what the value.
  
 I think this is the better way than just to clear the attribute value. But 
 how can I use this, what's the correct syntax?
  
 I have tested the following without success:
  
 Aruba-Admin-Role !* 
 Aruba-Admin-Role !*
 !* Aruba-Admin-Role
  

update reply {
Aruba-Admin-Role !* ANY
}

Will delete all.

update reply {
Aruba-Admin-Role -= %{reply:Aruba-Admin-Role}
}

Will delete the first instance.

-Arran

Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: differentiate authoriztion/ authentication in separate ldap modules

2013-09-04 Thread Hachmer, Tobias 
Hello Alan,

Hachmer, Tobias wrote:
 -   Rewrite DN?
  You can rewrite the DN.  That's why it's editable, as the LDAP-UserDn 
 attribute.

How can I do this and how magic could I rewrite the DN?
The local ldap DIT and the AD DIT are totally different (different OU 
structure). It is much more than rewrite the base DN. 
When there's no way to determine the DN in AD DIT again I think I can achieve 
this more easy using ntlm_auth because I just want to check the password 
against AD, am I right?

Kind regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: differentiate authoriztion/ authentication in separate ldap modules

2013-09-04 Thread Hachmer, Tobias 
 How can I do this and how magic could I rewrite the DN?
 The local ldap DIT and the AD DIT are totally different (different OU 
 structure). It is much more than rewrite the base DN. 
 When there's no way to determine the DN in AD DIT again I think I can 
 achieve this more easy using ntlm_auth because I just want to check the 
 password against AD, am I right?

Yes.

update control {
   LDAP-BaseDN !* ANY
}
open_ldap.authorize
open_ldap

Thanks Arran for the answer. I dropped the ldap module for AD and configured 
ntlm_auth to keep the freeradius config more simple.
Then I have defined a new Auth-Type which does ntlm_auth and in case of reject 
it will fall back to the ldap module. (in case active directory server is not 
available)

authorize {
...
ldap_local
...
}

authenticate {
...
Auth-Type AD {
ntlm_auth {
reject = 2
}
if (reject) {
ldap_local
}
}
...
}

For users who are in active directory I added a new radius profile which sets 
Auth-Type to AD.
Users who are only in local ldap, the module does this automatically.

Kind regards.
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

differentiate authoriztion/ authentication in separate ldap modules

2013-09-03 Thread Hachmer, Tobias 
Hello list,

first of all a bit background about my environment:


-   CentOS 6.4

-   FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on 
Oct  3 2012 at 01:22:51

-   OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08)

Here we use Microsoft Active Directory (not in our responsibility) for User 
Authentication.
I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS 
authorization and (fallback) authentication, like:

   LDAP Master
|
 

 |  
 |
RADIUS Primary  RADIUS Secondary
local LDAP copy  local LDAP copy

All RADIUS authorization information are stored in the OpenLDAP DIT using 
RADIUS profiles.
The usernames in OpenLDAP DIT and in Active Directory are the same.

The normal scenario should be:

-   retrieve authorization from openldap dit (module ldap_openldap)

-   authenticate the user (password verification) against active directory 
(module ldap_ad)

oif active directory server isn't reachable check password against module 
ldap_openldap

Problem:
After the module ldap_openldap has found the DN for the requesting user 
freeradius uses the same DN to bind against module ldap_ad. I know this can't 
work.

Is there a possible solution for this using ldap?

-   Configure module ldap_ad to determine the DN of user again?

-   Rewrite DN?

If not, would this work using ntlm_auth?

Any help appreciated.

Kind regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: differentiate authoriztion/ authentication in separate ldap modules

2013-09-03 Thread Hachmer, Tobias 
 As far as I know it is not possible to use a ldap module to authenticate 
 agains AD. See this page for protocol compatibility:



Thank you for the answer. But it is possible using simple bind via ldap.

But that's not my problem.



Regards,

Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap: multiple radius profiles

2013-09-02 Thread Hachmer, Tobias 
Dear listmembers,

I have following setup:


-   Centos 6.4

-   freeradius version: radiusd: FreeRADIUS Version 2.1.12, for host 
x86_64-redhat-linux-gnu, built on Oct  3 2012 at 01:22:51

-   authorization  authentication in ldap (openldap)

What I am trying to achieve is:

-   manage radius profiles completely in ldap with replyItems

-   return reply Items of multiple profiles to a user if he belongs to 
multiple profiles

Example RADIUS Profiles:

dn: uid=aosReadWrite,ou=profiles,ou=radius,dc=example,dc=com
cn: AOS Read-Write
objectClass: radiusObjectProfile
objectClass: radiusProfile
uid: aosReadWrite
radiusReplyItem: Alcatel-Access-Priv += Alcatel-Read-Priv
radiusReplyItem: Alcatel-Access-Priv += Alcatel-Write-Priv
radiusReplyItem: Alcatel-Access-Priv += Alcatel-Admin-Priv
radiusReplyItem: Alcatel-Acce-Priv-F-W1 = 0x
radiusReplyItem: Alcatel-Acce-Priv-F-W2 = 0x

dn: uid=sosReadWrite,ou=profiles,ou=radius, dc=example,dc=com
cn: screenOS Read-Write
objectClass: radiusObjectProfile
objectClass: radiusProfile
uid: sosReadWrite
radiusReplyItem: NS-Admin-Privilege = Root-Admin

Example RADIUS User:

dn: uid=hachmer,ou=users,ou=radius,dc=example,dc=com
cn: Tobias Hachmer
givenName: Tobias
mail: tobias.hach...@stadt-frankfurt.de
radiusServiceType: Administrative-User
sn: Hachmer
uid: hachmer
objectClass: top
objectClass: inetOrgPerson
objectClass: radiusProfile
userPassword:: ...
radiusGroupName: aosReadWrite
radiusGroupName: sosReadWrite

I don't know how to configure FreeRADIUS to read the radiusGroupName 
attribute and attach the configured return Items to the return list.

Using unlang I am able to do this:
if(Ldap-Group == 
cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com) {
update reply {
Alcatel-Access-Priv = Alcatel-Read-Priv
Alcatel-Access-Priv += Alcatel-Write-Priv
Alcatel-Access-Priv += Alcatel-Admin-Priv
Alcatel-Acce-Priv-F-W1 := 0x
Alcatel-Acce-Priv-F-W2 := 0x
Alcatel-Asa-Access := All
}
}
if(Ldap-Group == cn=sosReadWrite,ou=groups,ou=radius, 
dc=example,dc=com ) {
update reply {
NS-Admin-Privilege := Root-Admin
}
}

This is working fine but has the disadvantage that I have to configure the 
return items static into freeradius configuration files.
I want to manage these profiles also in ldap. Is this possible?

Kind regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: ldap: multiple radius profiles

2013-09-02 Thread Hachmer, Tobias 
 I don't know how to configure FreeRADIUS to read the radiusGroupName 
 attribute and attach the configured return Items to the return list.
*configured reply items to the reply list.

Of course, sorry for inaccuracy.

 I want to manage these profiles also in ldap. Is this possible?
Well yes, that's the point of RADIUS profile in LDAP.
You need to set the profile_attribute configuration item to 
radiusGroupName. IIRC you also need to use full DNs for the radiusGroupName 
values.

That was the missing hint. Thank you Arran!
It is working as expected.

Kind regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html