Peter Lambrechtsen <plambrecht...@gmail.com> wrote: > > I find the easist way to do it is to use a custom "users" file to allow / > prevent access based on exact matches of LDAP attributes. > > then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise > reject. > > This is how we do it here: > > http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html > Depending on how you have things set up locally and how you are trying to skin this particular cat, but you could just use an LDAP filter to get all this done and keep the logic out of FreeRADIUS (although I probably would *not* recommend it): ---- filter = "(&(objectClass=Person)(employeeType=staff*)(!(employeeType=staff retired))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))" ----
Means you get the effect as if the user did not even exist. Just throwing another option out there...although I would recommend the users file with a bunch of fall throughs personally. Cheers -- Alexander Clouter .sigmonster says: All phone calls are obscene. -- Karen Elizabeth Gordon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html