Reject users based on LDAP attribute

C.F. Yeung Wed, 16 May 2012 22:59:16 -0700

We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?


/etc/raddb/dictionary
ATTRIBUTE       My-Local-wlanStatus     3000    string

/etc/raddb/ldap.attrmap
replyItem       My-Local-wlanStatus             WLANStatus

/etc/raddb/sites-available/default
authorize {
...
ldap
if (My-Local-wlanStatus == "A1") {
                reject
        }
        ...
}

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=student,o=example.com, with filter
(uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
rlm_ldap: WLANStatus -> My-Local-wlanStatus = "A1"
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (My-Local-wlanStatus == "A1")
    (Attribute My-Local-wlanStatus was not found)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reject users based on LDAP attribute

Reply via email to