[RADIATOR] LDAP: dereferencing searches

AYANIDES, Jean-Philippe jpayanides at prosodie.com
Mon Sep 24 08:56:47 UTC 2018

Hello Hugh,

I have noticed the existence of "deref" parameter, but no one is designed to specify what extended attribute you want to get from the dereferenced ones.

In the following example, an object of class oscradiusclient contains an attribute "memberof" which is actually a reference to another object (aka a DN).

when you run an extended search to get attribute "radiusReplyItem" from the referenced attribute memberof:

ldapsearch -Y GSSAPI -E 'deref=memberof:radiusReplyItem' '(objectclass=oscradiusclient)' control memberof

You get:

# LDAPv3
# base <SUFFIX> (default) with scope subtree
# filter: (&(objectclass=oscradiusclient2))
# requesting: control
# with dereference control

# ipa2.pp-iam.mycorp.net, computers, accounts, pp-iam.mycorp.net
dn: fqdn=ipa2.pp-iam.mycorp.net,cn=computers,cn=accounts,SUFFIX

memberof: ipaUniqueID=UUID1,cn=hbac,SUFFIX
memberof: ipaUniqueID=UUID2,cn=hbac,SUFFIX

# memberof: <radiusReplyItem=you are authorized with the integrated iam profile1>;

# memberof: <radiusReplyItem=you are authorized with the integrated iam profile2>;

As you can see, the virtual attribute "control" contains all you have requested in the 'deref=' parameter, in a base64 encoded way. The two following commented lines are merely detailing in a readable form the value of "control".

BUT… how to search like this in radiator ? The existence of the parameter "deref" suggest that it is possible, my I do not know how to proceed. No keywords listed un section 3.9.23 seems to be designed for that.

Finally, it would be great if you can add support for postSearchHook in ClientListLDAP as a complement of the above possibility to dereference subordinates DN of a search. Is that a feature we could buy ?

Best regards


De : Hugh Irvine <hugh at open.com.au>
Envoyé : samedi 22 septembre 2018 00:54:22
À : AYANIDES, Jean-Philippe
Cc : radiator at lists.open.com.au
Objet : Re: [RADIATOR] LDAP: dereferencing searches

Salut Jean-Philippe -

You can use any of the LDAP keywords as listed in section 3.9 of the Radiator 4.21 reference manual (“doc/ref.pdf”).

See section 3.9.23 Deref for example.

We could also look at adding support for PostSearchHook in ClientListLDAP if required.



> On 22 Sep 2018, at 01:57, AYANIDES, Jean-Philippe <jpayanides at prosodie.com> wrote:
> Hello,
> I'd like to use LDAP2 mechanism to get clients attributes from LDAP (with the directive "clientlistldap").
> But one of the attribute returned by the ldap search is a DN (syntax I would like to dereference.
> So well, I am looking to the way to dereference that DN, in order to get attributes from the linked object.
> With ldapsearch, I used to run for example:
>     ldapsearch -Y GSSAPI -E 'deref=memberof:radiusReplyItem' '(serverhostname=myNAS)'
> But with LDAP2, I do not know how to do it. There is no keyword similar to the keyword "filter" designed to add the extending searches...
> Can anyone help me ?
> Jean-Philippe
> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message._______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator


Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.open.com.au/pipermail/radiator/attachments/20180924/93816bd1/attachment.html>

More information about the radiator mailing list