Discussion:
Referencing LDAP attributes in post-auth
Adam Track
2011-11-01 18:35:31 UTC
Permalink
Hello,

I'm sorry for asking such a simple(?) thing, but my lack of understanding is not due to a lack of reading, searching, trial-and-error... I just can't seem to figure out how to reference an ldap attribute in post-auth.  Using freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for authorization works great.  As an added functionality, I need to send to the NAS a few extra attributes based on an an ldap attribute "personType".  I've added mapping for this attribute, and here's a snippet of the debug output from the authorize section of the virtual server:
...

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] personType -> Person-Type = "employee"
  [ldap] personType -> Person-Type = "fulltime"
  [ldap] personType -> Person-Type = "it"
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user tadam authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
...

How do I reference this attribute in a perl script I call from post-auth?  It's not in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK... 


Actually, I can't even figure out how to call it from the post-auth section itself.. I've tried different things, but I'm thinking the following should work:


update reply{
                Reply-Message := "Type: %{reply:Person-Type}."
}

Yet, I get:


...
+- entering group post-auth {...}
        expand: Type: %{reply:Person-Type}. -> Type: .
++[reply] returns noop
...

Is there something else I need to do to make sure the values returned from the ldap module are saved for reference outside the authorization block? 


A.
Gary Gatten
2011-11-01 18:44:47 UTC
Permalink
I'm just guessing, and could be WAY off, but may be an inner-tunnel vs. outer-tunnel thing. I think there's an option to copy inner-tunnel attribs to outer-tunnel attribs. Maybe start searching in those areas and wait for someone that actually known something about FR to reply. I used to know a LITTLE bit, but I hardly touch it anymore and find myself forgetting all but the very basics.

G


________________________________
From: freeradius-users-bounces+ggatten=***@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=***@lists.freeradius.org] On Behalf Of Adam Track
Sent: Tuesday, November 01, 2011 1:36 PM
To: ' freeradius-***@lists.freeradius.org'
Subject: Referencing LDAP attributes in post-auth

Hello,

I'm sorry for asking such a simple(?) thing, but my lack of understanding is not due to a lack of reading, searching, trial-and-error... I just can't seem to figure out how to reference an ldap attribute in post-auth. Using freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for authorization works great. As an added functionality, I need to send to the NAS a few extra attributes based on an an ldap attribute "personType". I've added mapping for this attribute, and here's a snippet of the debug output from the authorize section of the virtual server:

...
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] personType -> Person-Type = "employee"
[ldap] personType -> Person-Type = "fulltime"
[ldap] personType -> Person-Type = "it"
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user tadam authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
...

How do I reference this attribute in a perl script I call from post-auth? It's not in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK...

Actually, I can't even figure out how to call it from the post-auth section itself.. I've tried different things, but I'm thinking the following should work:

update reply{
Reply-Message := "Type: %{reply:Person-Type}."
}

Yet, I get:

...
+- entering group post-auth {...}
expand: Type: %{reply:Person-Type}. -> Type: .
++[reply] returns noop
...

Is there something else I need to do to make sure the values returned from the ldap module are saved for reference outside the authorization block?

A.












<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
Adam Track
2011-11-01 19:41:11 UTC
Permalink
I’m just guessing, and could be WAY
off, but may be an inner-tunnel vs. outer-tunnel thing.

In eap.conf, I've got copy_request_to_tunnel = yes and use_tunneled_reply = yes.  Neither the ldap nor perl modules are called in the inner-tunnel. 
Phil Mayers
2011-11-01 20:08:09 UTC
Permalink
Post by Gary Gatten
I’m just guessing, and could be WAY off, but may be an inner-tunnel
vs. outer-tunnel thing.
In eap.conf, I've got copy_request_to_tunnel = yes and
use_tunneled_reply = yes. Neither the ldap nor perl modules are called
in the inner-tunnel.
Full debug please.

Broadly speaking the approach you're trying should work. Most likely
there's some subtlety which the partial debug doesn't show.

One obvious question: you have defined "Person-Type" in a dictionary
somewhere, haven't you? e.g. in raddb/dictionary:

ATTRIBUTE Person-Type 3099 string

Also, the usual "upgrade 2.1.8 is a bit old" note goes here ;o)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u
schilling
2011-11-07 02:53:41 UTC
Permalink
This might help.

Then I want to map certain attribute like employeeStatus from our
iPlanet ldap server to some radius attribute, so I can manipulate it
in the post-auth section.
I put the following line in etc/raddb/dictionary
ATTRIBUTE My-Local-employeeStatus 3000 string

and the following line in etc/raddb/ldap.attrmap
#FOO specific attributes
replyItem My-Local-employeeStatus employeeStatus

Without these two line addition, radius will complain unknown attribute.

Then in the post-auth section

#default will have no Tunnel attribute/value, instead, they will be
configured on
#the NAS to go to student VLANs.

# this will cover my ldap ntPassword authentication/authorization
#facstaff have employeeStatus set while student does not
if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) {
update reply {
Service-Type = "Framed-User"
Tunnel-Type = "VLAN"
Tunnel-Medium-Type = "IEEE-802"
Tunnel-Private-Group-Id = "facstaff"
}
}
#this will cover my AD ntlm auth, People in AD are all facstaff
if ( "%{User-Name}" !~ /@/ ) {
update reply {
Service-Type = "Framed-User"
Tunnel-Type = "VLAN"
Tunnel-Medium-Type = "IEEE-802"
Tunnel-Private-Group-Id = "facstaff"
}
}

In this way, people can map arbitrary attribute from ldap to radius,
if not in dictionary/ldap.attrmap, then just defined your own. Then
you have flexibility of using these attribute/value in your logic at
post-auth section.

Thanks all for the hints and help!

Schilling
Post by Phil Mayers
 > I’m just guessing, and could be WAY off, but may be an inner-tunnel
vs. outer-tunnel thing.
In eap.conf, I've got copy_request_to_tunnel = yes and
use_tunneled_reply = yes. Neither the ldap nor perl modules are called
in the inner-tunnel.
Full debug please.
Broadly speaking the approach you're trying should work. Most likely there's
some subtlety which the partial debug doesn't show.
One obvious question: you have defined "Person-Type" in a dictionary
ATTRIBUTE       Person-Type     3099    string
Also, the usual "upgrade 2.1.8 is a bit old" note goes here ;o)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...