On Thu, Jul 04, 2013 at 07:05:09PM +0100, Arran Cudbard-Bell wrote:
> Don't try and use the users file for complex stuff like this.
>
> In your profile objects add an attribute for preferredNetwork.
>
> Use ldap xlat to search in the directory for an profile object with a
> preferredNetwork attribute which matches the stripped path of the username,
> specify DN as the attribute to retrieve.
>
> Something like:
>
> authorize {
> update control {
> User-Profile := "%{ldap:ldap:///<base
> dn>?DN?sub?prefferedNetwork=%{<your_preferred_network_attr>}}"
> }
>
> if (!control:User-Profile) {
> reject # or whatever you want to do for this case
> }
>
> ldap
> }
Hi.
Thanks for the pointers.
I actually needed to search for group membership as well as the group name:
User-Profile :=
"%{ldap-main:ldap:///ou=groups,dc=wuji,dc=cz?seeAlso?sub?(&(cn=%{Preferred-Network})(uniqueMember=%{control:Ldap-UserDn}))}"
This checks whether the current user is a member of the group he/she sent as
preferred and returns the pointer to the group radius profile.
I'm of course hitting a problem with eap where it complains that the eap
identity is different from the User-Name, because I'm changing User-Name
in hints file but I'll work around it somehow.
thanks again
Martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
