Dear Alan! Thanks for your answer, but now it seems to work... But it would be nice, if you can tell me, if there is a better way to do this... What I tried to do, was this: I´m getting some profile-Information from a NAS embedded in some crytical string in the attribute Acct-Session-Id. To extract the profile name I do the stripping.... If the user is member of an ldap-group which cn matches with the profile-name the users should be accepted, else rejected... The groups are all in the same ou, so the whole group-dn is not needed.... If the profile name equals to "test_default" no ldap-group-check should be done only the "normal" named bind... The Auth-Request in this case is a simple one (no CHAP, MSCHAP, etc...) So, what I tried in the first place was some kind of "variable" group cn in the users file, but that didn´t work out as I posted earlier... Now I did it with (in default, authorize section): authorize { ... if (Acct-Session-Id) { if (Acct-Session-Id =~ /^[^\(]+([\(])([^\)]+).+$/ ) { update request { Acct-Session-Id := "%{2}" } } } ... if (User-Name =~ /^(\.*)([a-zA-Z]{3}[0-9]{5})/ && Huntgroup-Name == "test" ) { if (Acct-Session-Id != "test_default") { if (ldapgroups1-Ldap-Group == "cn=%{Acct-Session-Id},o=test,c=de" ) { update control { Auth-Type := LDAP } ok } else { reject } } #if it´s test_default, ignore ldap-group an do only the named bind else { update control { Auth-Type := LDAP } } } .... if (Huntgroup-Name != "test" ) { files } ... } I have a lot of things in the users file, so it should be left out only in this special case... Thank you very much... Anja
Alan DeKok <aland@deployingradius.com> 02.10.2009 20:33 >>> Anja Ruckdaeschel wrote: Now I did it with unlang in the authorize section before the files module....
if (Acct-Session-Id) { if (Acct-Session-Id =~ /^[^\(]+([\(])([^\)]+).+$/ ) {
update request { ldapgroups1-Ldap-Group := "cn=%{2},ou=vpn,ou=test,o=test,c=de"
The "ldapgroups1-Ldap-Group" attribute can *only* do comparisons. Assigning to it is not supported. And even if assigning to it was supported, the LDAP-Group attribute checks group *names*. It doesn't support LDAP queries like "cn=...,ou=..." Perhaps you could try to describe what you are trying to do. Describe it in terms of ideas, not pieces of configuration files. The configuration pieces you posted are wrong, and won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html