Alexander Clouter wrote:
Peter Lambrechtsen <[email protected]> wrote:
I find the easist way to do it is to use a custom "users" file to allow /
prevent access based on exact matches of LDAP attributes.
then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
reject.
This is how we do it here:
http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
Peter... but how does that work with multivalued attributes? If someone
has employeeType[0] = "FooBar" and employeeType[1] = "STAFF OFFSITE" it
doesn't seem like it would work...
Also, at the moment, I don't have a users file... I'm using LDAP only,
with the little configuration I need in unlang.
Depending on how you have things set up locally and how you are trying
to skin this particular cat, but you could just use an LDAP filter to
get all this done and keep the logic out of FreeRADIUS (although I
probably would *not* recommend it):
----
filter = "(&(objectClass=Person)(employeeType=staff*)(!(employeeType=staff
retired))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"
----
Means you get the effect as if the user did not even exist.
Just throwing another option out there...although I would recommend the
users file with a bunch of fall throughs personally.
Cheers
I know I didn't specify it in my original message, but that loses the
verbose (SQL-ized) logging that I need...
I don't really know anything about it, and haven't seen mention of it
outside of the modules list, but perhaps I could use rlm_perl or
rlm_python? Does anyone know about the efficiency of these? I know I'm
approaching this from the standpoint of a traditional programming
language, but the way I see it, I just need to loop over the values of
the employeeType[] attribute, and have some sort of variable to store
state...
-Jason
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
