Reject users based on LDAP attribute
C.F. Yeung
yeungcf at gmail.com
Thu May 17 07:54:24 CEST 2012
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?
/etc/raddb/dictionary
ATTRIBUTE My-Local-wlanStatus 3000 string
/etc/raddb/ldap.attrmap
replyItem My-Local-wlanStatus WLANStatus
/etc/raddb/sites-available/default
authorize {
...
ldap
if (My-Local-wlanStatus == "A1") {
reject
}
...
}
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=student,o=example.com, with filter
(uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
rlm_ldap: WLANStatus -> My-Local-wlanStatus = "A1"
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (My-Local-wlanStatus == "A1")
(Attribute My-Local-wlanStatus was not found)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120517/4b72a06d/attachment.html>
More information about the Freeradius-Users
mailing list