LDAP Group assign to vlan after AD user authentication

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jan 24 12:15:35 CET 2012


On 24 Jan 2012, at 09:05, NdK wrote:

> Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto:
> 
>>> But how do I set Tunnel-Private-Group-Id from an
>>> exec-ed script?
>> Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for).
> Urgh! So easy! :)
> 
>> Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow...
> Surely. But in some setups it's not possible to browse AD as an ldap
> server. At least w/o leaving around username and password. That's a
> no-no, unless you can create "service users" (which we can't :( ).
> But this way we can put users on different VLANs w/o problems :)
> 

Ah fair enough. Yes you do need a user to bind.

> IIUC, post-auth exec should occour only once, right?
> 

Yep.

-Arran

Arran Cudbard-Bell
a.cudbardb at freeradius.org

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !





More information about the Freeradius-Users mailing list