attribute checking with AD
Hello, after having almost successfully set-up authorize {} and authenticate {} section to do AD clear-text logins, only a small problem remains: We want to allow access for only a subset of the AD users. These users are distinguished from the others by the following criterion (you don't want to know why): if the AD attribute "Department" begins with the character "7", the user is allowed access, otherwise not. So far I mapped "Department" as a checkItem to one of our Vendor-Specific attributes in ldap.attrmap and _wanted_ to do regexp matching in the users file for that Vendor-Specific attribute after authorize->ldap passed through. DEFAULT Our-Vendor-Specific-Thing =~ [^7].*, Auth-Type := Reject This doesn't work (sorry, no debug output available, not my machine). Now I wonder: is there another possibility to do regexp matching against items that are retrieved from AD or LDAP? Unfortunately just checking the attributes delivered by the NAS is not enough. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: stefan.winter@restena.lu tél.: +352 424409-1 http://www.restena.lu fax: +352 422473
Stefan Winter <freeradius-users-ml@stefan-winter.de> wrote:
So far I mapped "Department" as a checkItem to one of our Vendor-Specific attributes in ldap.attrmap and _wanted_ to do regexp matching in the users file for that Vendor-Specific attribute after authorize->ldap passed through. DEFAULT Our-Vendor-Specific-Thing =~ [^7].*, Auth-Type := Reject
The "users" file doesn't do comparisons to check items very well. In the CVS head, the policy module can do this. You may be able to back-port it to 1.0.x. Alan DeKok.
participants (2)
-
Alan DeKok -
Stefan Winter