Hello Stephen -
On Fri, 10 Mar 2000, Felicetti, Stephen A. wrote:
> Hey guys...
>
> I'd like to know if it is possible to use AuthAttrDef in the following
> scenario:
>
> I have an LDAP server. I'd like to have an attribute called remoteuser.
> Valid assignments
> to this attribute would be yes, or no.
> I have a Cisco AS5300. It sends an Access-Request to Radiator with only the
> username and password.
> Once Radiator receives this request, it'll lookup the username/password,
> then determine whether the remoteuser attribute is 'yes'. If so, it should
> grant access. It not, then reject it.
>
> I've added AuthAttrDef to my config file, and within the debug messages, I
> can see that it is retrieving the attribute and it's value. But it fails to
> correctly match it with anything. I gather that this is because I haven't
> created anything for it to compare against....am I able to do this? Or does
> AuthAttrDef only work if the attribute and value is sent along with the
> Access-Request? If so, how can that be done with the AS5300?
>
> PLEASE NOTE: I'm working on a development system, so I had to use different
> attribute names then described above.
> I'm Using Radiator 2.15, Netscape LDAP 3.11, Perl 5.00503
> and Net-LDAPapi 1.42.
>
> Here's my part of my config file:
> <Realm>
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy LDAP>
> Host ldaphost
> Port 389
> AuthDN uid=admin,o=blah blah blah
> AuthPassword xxxxxxx
> BaseDN o=blah blah blah
> UsernameAttr uid
> PasswordAttr userpassword
> AuthAttrDef telephonenumber,Xstring,check
> </AuthBy>
> </Realm>
>
> And the debug output:
>
> Thu Mar 9 16:03:48 2000: DEBUG: Handling request with Handler 'Realm='
> Thu Mar 9 16:03:48 2000: DEBUG: Rewrote user name to safelice
> Thu Mar 9 16:03:48 2000: DEBUG: Deleting session for safelice, x.x.x.x ,
> 1234
> Thu Mar 9 16:03:48 2000: DEBUG: Handling with Radius::AuthLDAP
> Thu Mar 9 16:03:48 2000: DEBUG: Connecting to ldaphost, port 389
> Thu Mar 9 16:03:48 2000: DEBUG: LDAP got result for uid=safelice,ou=blah
> blah blah
> Thu Mar 9 16:03:48 2000: DEBUG: LDAP got userpassword:
> {crypt}xxxxxxxxxxxxxxxx
> Thu Mar 9 16:03:48 2000: DEBUG: LDAP got telephonenumber: 3660
> Thu Mar 9 16:03:48 2000: DEBUG: Radius::AuthLDAP looks for match with
> safelice
> Thu Mar 9 16:03:48 2000: DEBUG: Radius::AuthLDAP REJECT: Check item Xstring
> expression '3660' does not match '' in request
> Thu Mar 9 16:03:48 2000: DEBUG: Connecting to ldaphost, port 389
> Thu Mar 9 16:03:48 2000: DEBUG: No entries for DEFAULT found in LDAP
> database
> Thu Mar 9 16:03:48 2000: INFO: Access rejected for safelice: Check item
> Xstring expression '3660' does not match '' in request
> Thu Mar 9 16:03:48 2000: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 48151 ....
> Code: Access-Reject
> Identifier: 198
> Authentic: 1234567890123456
> Attributes:
> Reply-Message = "Request Denied"
>
Radiator only knows how to deal with attribute/value pairs as defined in the
dictionary that is in use. In your example above, "Xstring" is not defined in
your dictionary, so there is no match.
You will have to find an attribute in the incoming request that indicates what
you are looking for (for example, Service-Type, or NAS-Port-Type) then set your
LDAP attribute to match on the same value (for example, "Framed-User" for
Sevice-Type, or "async" for NAS-Port-Type).
Alternatively you may be able to write a hook to do what you require.
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
