ldap filter depending on NAS

Matthieu Lazaro matthieu.lazaro at eservglobal.com
Tue Apr 21 15:18:46 CEST 2009


Hello,

My freeRadius setup works very well using PEAP/TLS binding on the ldap
using only one filter.
Now I have two very different types of NAS and I need to filter users
that may have access to one NAS or the other or both.
My idea was to use the unlang in the ldap module to write my policy, but
it's not working.

in /etc/freeradius/modules/ldap we have:


ldap {
    #
    #  Note that this needs to match the name in the LDAP
    #  server certificate, if you're using ldaps.
    server = "127.0.0.1"
    identity = "__snipped__"
    password = "__snipped__"
    basedn = "dc=__snipped__,dc=com"


    #WORKING :

    #filter =
"(&(|(accessTo=WIFI_FR)(accessTo=WIFI_ALL))(uid=%{Stripped-User-Name:-%{User-Name}}))"

    #NOT working:

    if (NAS-IP-Address == 10.1.1.2) {
    filter =
"(&(|(accessTo=WIFI_XX)(accessTo=WIFI_YY))(uid=%{Stripped-User-Name:-%{User-Name}}))"
    }
    else {
    filter = "(&(accessTo=VPN)(uid=%{Stripped-User-Name:-%{User-Name}}))"
    }

    base_filter = "(objectclass=radiusprofile)"


    ___snipped-the rest of this section is OK___


}

It all happens as if the "if () { ... } else { ... } " is completely
ignored
(and thus it defaults to check if the uid exists)
 
(ie: neither filter1 nor filter2 appears when debugging.
 But when we only put filter, it appears when debugging)

I think I'm missing a lot of details in the configuration and I have not
figured out how to do this with hints|huntgroups|clients files.
Any help on why this is not working or an other simple solution is welcome.

Best Regards,

Matt

 

 







More information about the Freeradius-Users mailing list