Additional Restrictions for users

William Burnett burnett.w at gmail.com
Mon Sep 27 22:37:35 CEST 2010


Alright,

Glad I asked, I've been trying different variations for half an hour.
I ended up just created an if - elsif statement since I only had three
static groups, but thought the regexp model would be less taxing than
processing each if statement.

if (Service-Type == "Login-User") {

                        if (SQL-Group == "ssh-admin")   {
                                update control {
                                                Auth-Type := "Accept"
                                                }

                                }
                        elsif (SQL-Group == "ssh-write") {
                                update control {
                                                Auth-Type := "Accept"
                                                }

                                }
                        elsif (SQL-Group == "ssh-read") {
                                update control {
                                                Auth-Type := "Accept"
                                                }
                                }
                        else {
                                update control {
                                                Auth-Type := "Reject"
                                                }
                                }
                }

Thanks again for the pointers.


Sincerely,

William Burnett
burnett.w at gmail.com



On Mon, Sep 27, 2010 at 11:41 AM, Alexander Clouter <alex at digriz.org.uk> wrote:
> William Burnett <burnett.w at gmail.com> wrote:
>>
>> Thanks that helped I've got the conditions to match. However I've
>> setup multiple groups:
>>
>> ssh-admin
>> ssh-read
>> ssh-write
>>
>> and want to use a regexp to match anything containing ssh-* to allow
>> those users to authenticate instead of multiple lines matching each
>> value. Can I use regex matching with SQL-Group ?
>>
>> The following seems to be evaluated as "ssh.*" and not anything
>> containing "ssh......"
>>
>> if (!SQL-Group =~ /ssh.*/ && (Service-Type == "Login-User")) {
>> .....reject.... }
>>
> Does not work like that.  You will need to construct a SQL xlat
> statement that does the check for you, so:
> ----
> if ("%{sql:SELECT ....}" ....) {
> ----
>
> or however SQL modules function, I'm an LDAP man myself.
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: Are you a turtle?
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list