Noted & TQ. Will try the proposed solution.
--haizam
----- Original Message -----
From: "Kolbjørn Barmen" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list" <[email protected]>
Sent: Tuesday, February 19, 2008 6:07 PM
Subject: Re: Regex Ldap Group
On Tue, 19 Feb 2008, Alan DeKok wrote:
Rohaizam Abu Bakar wrote:
> I tried to do regex match in Ldap-Group. From below users file, The
> "NAS-Identifier" regex works OK but for Ldap-Group match, it's not
> working as below DEBUG log.
It doesn't work like that. The match is "IF the user is in the named
group". See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp().
If you want it to do a regex match, you'll have to modify the code in
rlm_ldap.
Also not that LDAP typically doesnt allow substring search on any given
attribute.
My solution is to use a seperate script to perform a search in LDAP using
ldap-search and output whatever you need in the attribute.
Example, I have LDAP users in either ou=group1,ou=test,o=bla, or
ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab:
----
#! /bin/sh
# /usr/sbin/ldap2vlan
GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \
-D cn=admin,ou=test,o=bla -W mypasswd \
'(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p')
test "${GROUP" = "group1" && echo -n 110 && exit 0
test "${GROUP" = "group2" && echo -n 120 && exit 0
----
And then in the users file I have
DEFAULT Freeradius-Proxied-To == 127.0.0.1
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}`
Tunnel-Private-Group-Id will then either be "110" or "120" depending on
whether user is found in group1 or group2 (and group1 if found in both)
Hope this helps... :)
--
Kolbjørn Barmen
UNINETT Driftsenter
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
