Yeah, I kinda like the way this is going. In a case like this, you
could have the xlats registered with a group instead of with the server
as a whole. Then, when you make a reference to an xlat'ed value, prefix
it with the group and a colon (much like attribute references), ie
"myldap:LDAP-Group == blah". If no prefix is supplied, then it would
default to whatever's in the authorize group like normal. This could be
somewhat tricky to implement, *however* getting this implemented might
have a nice side effect. In users file processing, etc, for regular
attribute matching, you could specify the attribute list to match
against (ie check:Some-Config-Attribute == "Some Value"). I think that
both of these ideas could be implemented in the same portion of the code
(userparse I think?).
--Mike
On Tue, 2004-12-14 at 15:52, Alan DeKok wrote:
> Dustin Doris <[EMAIL PROTECTED]> wrote:
> > However, when I am using redundant, I cannot have this redundancy for
> > Ldap-Group lookups.
>
> Yes. That's an issue.
>
> We should really have inter-section references in the config files,
> and fail-over for things like attributes & groups.
>
> e.g.
>
> instantiate {
> redundant myldap {
> ldap1
> ldap2
> }
>
> }
>
> authorize {
> myldap
> }
>
> and you should be able to refer to "myldap-group".
>
> Implementing it may be hard, though. It's easy to do for module
> references, and more difficult for things like LDAP-Group.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--Mike
-----------------------------------
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
