Hi, On Thu, Sep 27, 2012 at 05:47:06PM +0000, David Aldwinckle wrote:
The problem with that is that I don't know how to get FreeRadius to read the groups for an arbitrary user that is not %User-Name. Can I copy another variable into the User-Name attribute in Post-Auth, and then do the group check there?
Look at the filter option for the ldap module. You can set it to search for anything, not necessarily just User-Name. Use a second instantiation of the ldap module to do your locked user checks on the main LDAP server after you've first searched for User-Name on the guest LDAP server (and pulled back the local user's account name - see ldap.attrmap). Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>