Checkitems
Dusty Doris
freeradius at mail.doris.cc
Fri Dec 16 02:44:16 CET 2005
> Maybe my last question was unclear this morning.
> Therefore I would like to rephrase it:
>
> Checkitems may be defined via ldap.attrmap e.g. like:
>
> checkItem User-Category primaryGroupID
>
> Those items, retrieved from an ldapserver and thus not part of the request:
> Are they supposed to be accessible by following modules?
>
> In a case like this in radiusd.conf:
>
> authorize { ldap { notfound = return } files }
>
> Should the files module have access to to a check item User-Category ?
> Thanks
I'm not sure, I've never tried that before, but I don't believe you can.
I think you'd need to use xlat for that. Grep for xlat in doc/rlm_ldap.
You could certainly use that ldap attribute as an Ldap-Group item, if you
are going to be keying off of it a lot.
in radiusd.conf
groupmembership_attribute = "primaryGroupID"
Then in the users file
DEFAULT Ldap-Group != "xxx", Auth-Type := Reject
or something like that.
More information about the Freeradius-Users
mailing list