unlang - delete attribute - !*
Hello list, I want to delete one reply attribute from the reply list if the access-request is originating not from a special NAS-IP-Address. Currently I have solved this by adding this unlang code in authorize section: if(!NAS-IP-Address == x.x.x.x) { update reply { Aruba-Admin-Role := } } The man page of unlang says: !* Delete all occurances of the named attribute, no matter what the value. I think this is the better way than just to clear the attribute value. But how can I use this, what's the correct syntax? I have tested the following without success: Aruba-Admin-Role !* Aruba-Admin-Role !* !* Aruba-Admin-Role Thanks in advance, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: unlang - delete attribute - !*
Hello Arran, thanks for the answer. This has worked! Regards, Tobias Hachmer -Ursprüngliche Nachricht- Von: freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org [mailto:freeradius-users-bounces+tobias.hachmer=stadt-frankfurt...@lists.freeradius.org] Im Auftrag von Arran Cudbard-Bell Gesendet: Mittwoch, 9. Oktober 2013 08:22 An: FreeRadius users mailing list Betreff: Re: unlang - delete attribute - !* On 9 Oct 2013, at 07:05, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de wrote: Hello list, I want to delete one reply attribute from the reply list if the access-request is originating not from a special NAS-IP-Address. Currently I have solved this by adding this unlang code in authorize section: if(!NAS-IP-Address == x.x.x.x) { update reply { Aruba-Admin-Role := } } The man page of unlang says: !* Delete all occurances of the named attribute, no matter what the value. I think this is the better way than just to clear the attribute value. But how can I use this, what's the correct syntax? I have tested the following without success: Aruba-Admin-Role !* Aruba-Admin-Role !* !* Aruba-Admin-Role update reply { Aruba-Admin-Role !* ANY } Will delete all. update reply { Aruba-Admin-Role -= %{reply:Aruba-Admin-Role} } Will delete the first instance. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: differentiate authoriztion/ authentication in separate ldap modules
Hello Alan, Hachmer, Tobias wrote: - Rewrite DN? You can rewrite the DN. That's why it's editable, as the LDAP-UserDn attribute. How can I do this and how magic could I rewrite the DN? The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN. When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right? Kind regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: differentiate authoriztion/ authentication in separate ldap modules
How can I do this and how magic could I rewrite the DN? The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN. When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right? Yes. update control { LDAP-BaseDN !* ANY } open_ldap.authorize open_ldap Thanks Arran for the answer. I dropped the ldap module for AD and configured ntlm_auth to keep the freeradius config more simple. Then I have defined a new Auth-Type which does ntlm_auth and in case of reject it will fall back to the ldap module. (in case active directory server is not available) authorize { ... ldap_local ... } authenticate { ... Auth-Type AD { ntlm_auth { reject = 2 } if (reject) { ldap_local } } ... } For users who are in active directory I added a new radius profile which sets Auth-Type to AD. Users who are only in local ldap, the module does this automatically. Kind regards. Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
differentiate authoriztion/ authentication in separate ldap modules
Hello list, first of all a bit background about my environment: - CentOS 6.4 - FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 - OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08) Here we use Microsoft Active Directory (not in our responsibility) for User Authentication. I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS authorization and (fallback) authentication, like: LDAP Master | | | RADIUS Primary RADIUS Secondary local LDAP copy local LDAP copy All RADIUS authorization information are stored in the OpenLDAP DIT using RADIUS profiles. The usernames in OpenLDAP DIT and in Active Directory are the same. The normal scenario should be: - retrieve authorization from openldap dit (module ldap_openldap) - authenticate the user (password verification) against active directory (module ldap_ad) oif active directory server isn't reachable check password against module ldap_openldap Problem: After the module ldap_openldap has found the DN for the requesting user freeradius uses the same DN to bind against module ldap_ad. I know this can't work. Is there a possible solution for this using ldap? - Configure module ldap_ad to determine the DN of user again? - Rewrite DN? If not, would this work using ntlm_auth? Any help appreciated. Kind regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: differentiate authoriztion/ authentication in separate ldap modules
As far as I know it is not possible to use a ldap module to authenticate agains AD. See this page for protocol compatibility: Thank you for the answer. But it is possible using simple bind via ldap. But that's not my problem. Regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap: multiple radius profiles
Dear listmembers, I have following setup: - Centos 6.4 - freeradius version: radiusd: FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 - authorization authentication in ldap (openldap) What I am trying to achieve is: - manage radius profiles completely in ldap with replyItems - return reply Items of multiple profiles to a user if he belongs to multiple profiles Example RADIUS Profiles: dn: uid=aosReadWrite,ou=profiles,ou=radius,dc=example,dc=com cn: AOS Read-Write objectClass: radiusObjectProfile objectClass: radiusProfile uid: aosReadWrite radiusReplyItem: Alcatel-Access-Priv += Alcatel-Read-Priv radiusReplyItem: Alcatel-Access-Priv += Alcatel-Write-Priv radiusReplyItem: Alcatel-Access-Priv += Alcatel-Admin-Priv radiusReplyItem: Alcatel-Acce-Priv-F-W1 = 0x radiusReplyItem: Alcatel-Acce-Priv-F-W2 = 0x dn: uid=sosReadWrite,ou=profiles,ou=radius, dc=example,dc=com cn: screenOS Read-Write objectClass: radiusObjectProfile objectClass: radiusProfile uid: sosReadWrite radiusReplyItem: NS-Admin-Privilege = Root-Admin Example RADIUS User: dn: uid=hachmer,ou=users,ou=radius,dc=example,dc=com cn: Tobias Hachmer givenName: Tobias mail: tobias.hach...@stadt-frankfurt.de radiusServiceType: Administrative-User sn: Hachmer uid: hachmer objectClass: top objectClass: inetOrgPerson objectClass: radiusProfile userPassword:: ... radiusGroupName: aosReadWrite radiusGroupName: sosReadWrite I don't know how to configure FreeRADIUS to read the radiusGroupName attribute and attach the configured return Items to the return list. Using unlang I am able to do this: if(Ldap-Group == cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com) { update reply { Alcatel-Access-Priv = Alcatel-Read-Priv Alcatel-Access-Priv += Alcatel-Write-Priv Alcatel-Access-Priv += Alcatel-Admin-Priv Alcatel-Acce-Priv-F-W1 := 0x Alcatel-Acce-Priv-F-W2 := 0x Alcatel-Asa-Access := All } } if(Ldap-Group == cn=sosReadWrite,ou=groups,ou=radius, dc=example,dc=com ) { update reply { NS-Admin-Privilege := Root-Admin } } This is working fine but has the disadvantage that I have to configure the return items static into freeradius configuration files. I want to manage these profiles also in ldap. Is this possible? Kind regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: ldap: multiple radius profiles
I don't know how to configure FreeRADIUS to read the radiusGroupName attribute and attach the configured return Items to the return list. *configured reply items to the reply list. Of course, sorry for inaccuracy. I want to manage these profiles also in ldap. Is this possible? Well yes, that's the point of RADIUS profile in LDAP. You need to set the profile_attribute configuration item to radiusGroupName. IIRC you also need to use full DNs for the radiusGroupName values. That was the missing hint. Thank you Arran! It is working as expected. Kind regards, Tobias Hachmer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html