[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: LDAP group check not working with SQL expansion
From: Arran Cudbard-Bell <a.cudbardb () freeradius ! org>
Date: 2017-07-25 19:44:48
Message-ID: E2EB1AE1-A314-4B03-AC1B-342E97B0A020 () freeradius ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
> On Jul 25, 2017, at 3:38 PM, Klara Mall <klara.mall@kit.edu> wrote:
>
> Hi,
>
> On 07/25/2017 08:08 PM, Arran Cudbard-Bell wrote:
> >
> > > I've found a dirty workaround with an explicit LDAP lookup:
> > >
> > > w2vgroupcheck {
> > > if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
> > > # does realm exist?
> > > if("%{sql:SELECT COUNT(*) FROM w2v WHERE \
> > > vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > \
> > > 0) { update request {
> > > Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE \
> > > vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" \
> > > Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu \
> > > ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String \
> > > -0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}"
> > > }
> > > # is user in group according to realm?
> > > if (&Tmp-String-1 != "") {
> > > update reply {
> > > Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE \
> > > vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" \
> > > Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802
> > > }
> > > }
> > > else {
> > > reject
> > > }
> > > }
> > > else {
> > > reject
> > > }
> > > }
> > > }
> >
> > Pushed a fix. Could you test and see if it addresses your issue.
> >
> > https://github.com/FreeRADIUS/freeradius-server/commit/e56048c98bfab25ae9453a52bbe6bcc02f20f515
> >
>
> Wonderful. I patched the freeradius version in Debian Stretch with it
> and it works. :)
Excellent, thanks for confirming!
-Arran
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJZd5+wAAoJEP+k1YKfttfKGUUP/RpxkxbKsCbK1qUNm2GseGVi
joGtSDbbaiT29CjBA8nHyC7xXylfwthJ4f+bD3AJlNsrvFwi7kN8F5vXgJ9O8Tge
m4Bw5yZTMvE4oFjtaoPPoIDobeEyZjBBwQ9RxNMPMbL9xih+oGEVvooh33eLm/qZ
3ftXtBec8pCf59ZmTK3M+i+k3vCNlFv1oFA1pQbXHK2kNCHS/88NTHmGiogBX8hN
f9mWZ6zIoGX8LrPuxPW3GrsQmO6bCBt7kJBjewX6tJaZm/pV3A3AkgnQzj0YgJvK
QKEWFLGcTYZutGTU4/TeLm0KkRYm8/H54/gxD0ED1kBok32CFxNnx5o/ZnrDqwqc
4jDo/XZ+MoXJLOSpp1crOio5+8YaREleQWi2muhY7OquV+a1fVZsL/lr0h9CxiZV
xS5JxbFbMlfh8j+gpe2MpduRt/H9tHEM+xR1cyIxkqfeFx9zNJQU9K12miT6CdKN
82/LQNEgCgS8vvsr7a2aaouUopYBx0pr+2ETAelT819H2hLXbDOr8B2bXCtKZjH2
zMkrxIu+4ojiGZNCAf4GxnQOV1xryHDOrLGj4MuVVmqRu8lm4uLdL04npfty0777
A/2cCVO9KltGm1yeK+kVU69LOjcCDcuKoK4CAg1TVHhVRbrcbiXzhgfi5d19z/1P
i0U2uTaD47J780btP0BB
=RSKw
-----END PGP SIGNATURE-----
[Attachment #6 (text/plain)]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic