Hi, On 07/25/2017 08:08 PM, Arran Cudbard-Bell wrote:
I've found a dirty workaround with an explicit LDAP lookup:
w2vgroupcheck { if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) { # does realm exist? if("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) { update request { Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String-0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}" } # is user in group according to realm? if (&Tmp-String-1 != "") { update reply { Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 } } else { reject } } else { reject } } }
Pushed a fix. Could you test and see if it addresses your issue.
https://github.com/FreeRADIUS/freeradius-server/commit/e56048c98bfab25ae9453...
Wonderful. I patched the freeradius version in Debian Stretch with it and it works. :) Thank you Klara