31 Jul
2012
31 Jul
'12
8:41 a.m.
On 31/07/12 13:26, David Aldwinckle wrote:
Hello,
I figure that other people might benefit from this too, so...
I was correct in my previous message. I added ldap to the authorize section of the inner tunnel, and did the group checking in the post-auth of the default server and everything worked wonderfully.
This isn't working for the reasons you seem to think. The syntax: if (Ldap-Group == xx) ...performs a dynamic search against the LDAP directory for the user & group membership. If you're doing this in the "default" post-auth, you're running LDAP twice - once in the "inner-tunnel" authorize section, and once in the "default" post-auth.