Regex Ldap Group
Rohaizam Abu Bakar
haizam at myjaring.net
Wed Feb 20 07:55:16 CET 2008
Noted & TQ. Will try the proposed solution.
--haizam
----- Original Message -----
From: "Kolbjørn Barmen" <kolbjorn.barmen at uninett.no>
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Sent: Tuesday, February 19, 2008 6:07 PM
Subject: Re: Regex Ldap Group
> On Tue, 19 Feb 2008, Alan DeKok wrote:
>
>> Rohaizam Abu Bakar wrote:
>> > I tried to do regex match in Ldap-Group. From below users file, The
>> > "NAS-Identifier" regex works OK but for Ldap-Group match, it's not
>> > working as below DEBUG log.
>>
>> It doesn't work like that. The match is "IF the user is in the named
>> group". See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp().
>>
>> If you want it to do a regex match, you'll have to modify the code in
>> rlm_ldap.
>
> Also not that LDAP typically doesnt allow substring search on any given
> attribute.
>
> My solution is to use a seperate script to perform a search in LDAP using
> ldap-search and output whatever you need in the attribute.
>
> Example, I have LDAP users in either ou=group1,ou=test,o=bla, or
> ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab:
>
> ----
> #! /bin/sh
> # /usr/sbin/ldap2vlan
> GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \
> -D cn=admin,ou=test,o=bla -W mypasswd \
> '(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p')
>
> test "${GROUP" = "group1" && echo -n 110 && exit 0
> test "${GROUP" = "group2" && echo -n 120 && exit 0
> ----
>
> And then in the users file I have
>
> DEFAULT Freeradius-Proxied-To == 127.0.0.1
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}`
>
> Tunnel-Private-Group-Id will then either be "110" or "120" depending on
> whether user is found in group1 or group2 (and group1 if found in both)
>
> Hope this helps... :)
>
> --
> Kolbjørn Barmen
> UNINETT Driftsenter
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list