On 24 Jan 2012, at 09:05, NdK wrote:
Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto:
But how do I set Tunnel-Private-Group-Id from an exec-ed script? Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for). Urgh! So easy! :)
Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow... Surely. But in some setups it's not possible to browse AD as an ldap server. At least w/o leaving around username and password. That's a no-no, unless you can create "service users" (which we can't :( ). But this way we can put users on different VLANs w/o problems :)
Ah fair enough. Yes you do need a user to bind.
IIUC, post-auth exec should occour only once, right?
Yep. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !