LDAP Group assign to vlan after AD user authentication
NdK
ndk.clanbo at gmail.com
Tue Jan 24 09:05:25 CET 2012
Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto:
>> But how do I set Tunnel-Private-Group-Id from an
>> exec-ed script?
> Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for).
Urgh! So easy! :)
> Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow...
Surely. But in some setups it's not possible to browse AD as an ldap
server. At least w/o leaving around username and password. That's a
no-no, unless you can create "service users" (which we can't :( ).
But this way we can put users on different VLANs w/o problems :)
IIUC, post-auth exec should occour only once, right?
Tks,
Diego.
More information about the Freeradius-Users
mailing list