Hi Phil, I tried a test where I commented out "ldap" from the inner tunnel and it appears that you are correct.
I had thought that I would need to "load" the module for the LDAP-Group to be populated. Anyway, thanks for the tip! Dave On 2012-07-31, at 8:41 AM, Phil Mayers <[email protected]> wrote: > On 31/07/12 13:26, David Aldwinckle wrote: >> Hello, >> >> I figure that other people might benefit from this too, so... >> >> I was correct in my previous message. I added ldap to the authorize >> section of the inner tunnel, and did the group checking in the >> post-auth of the default server and everything worked wonderfully. > > This isn't working for the reasons you seem to think. > > The syntax: > > if (Ldap-Group == xx) > > ...performs a dynamic search against the LDAP directory for the user & group > membership. > > If you're doing this in the "default" post-auth, you're running LDAP twice - > once in the "inner-tunnel" authorize section, and once in the "default" > post-auth. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
