I think you want Ldap-UserDN, which contains the DN of the object returned by the LDAP lookup. You need to do a regex match against the trailing part of the string Regards Max -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 30 October 2018 15:49 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: LDAP OU based authentication On Oct 30, 2018, at 10:27 AM, Tom Yard <tomyyard@gmail.com> wrote:
But now, the AD has changed and it hasn't groups anymore. So I have to do an OU based authentication for the users:
That's unfortunate. Groups really are a lot simpler.
Basedn: OU=technology,OU=mexico,DC=company,DC=com
I've read that DN's are also accepted as LDAP-Group values, so now I'm using this condition:
If (LDAP-Group == "OU=technology,OU=mexico,DC=company,DC=com")...
but it doesn't work.
Because that OU isn't an LDAP group.
Please how can I authenticate users in accordance with their OU and not their groups?
You need to run a custom LDAP query, and see if it returns any results: if ("%{ldap:... query OU and User}") { ... matched } else { ... it didn't match... } What that query is depends on your LDAP config. I'm not enough of an expert in LDAP to say more. Alan DeKok. - List info/subscribe/unsubscribe? See https://url6.mailanyone.net/v1/?m=1gHWGq-0007i7-5U&i=57e1b682&c=MDKJayVUCk5O... ------------------------------------ This email has been scanned for spam & viruses. If you believe this email should have been stopped by our filters, click the following link to report it (https://portal.mailanyone.net/index.html#/outer/reportspam?token=dXNlcj1tYXg...).