On 02/12/10 13:14, Alexander Clouter wrote:
Phil Mayers<[email protected]> wrote:
It would be really nice to fold those duplicate LDAP-Group lines into
'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
----
/etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string
"it-switch-admin" for attribute name "ldap_login-LDAP-Group"
Errors reading /etc/freeradius/LOCAL/users-login
AFAICT this doesn't really work because of the way the attributes
comparisons are actually handled.
Was wondering if someone out there knew of a neater way to do this?
Ah I see.
I was thinking you might be able to do something with the ldap xlat:
update control {
My-Group-Staff = "%{ldap1:...}"
}
if (!control:My-Group-Staff) {
update control {
My-Group-Staff = "%{ldap2:...}"
}
}
or:
update control {
My-Group-Staff = "%{%{ldap1:..}:-%{ldap2:...}}"
}
...but sadly again, the ldap xlat doesn't return an error code, just 0
so it's impossible to distinguish between no match and error, and you'll
end up hitting the "ldap2" module a lot when you don't need to.
Hmm. Tricky.
How about a pair of ldap modules and creative use of the ldap.attrmap,
so something like:
checkItem My-Group memberOf +=
...then:
policy {
myldap {
ldap1
if (fail) {
ldap2
}
}
}
...then:
authorize {
myldap
if (control:My-Group == Staff) {
# something
}
}
Alternatively, how about:
policy {
myldap {
update request {
Module-Failure-Message !* 0x00
My-Group = "%{ldap1:...}"
}
if (Module-Failure-Message) {
update request {
My-Group = "%{ldap2:...}"
}
}
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
