attribute checking with AD

Stefan Winter freeradius-users-ml at
Wed Jul 20 16:19:04 CEST 2005


after having almost successfully set-up authorize {} and authenticate {} 
section to do AD clear-text logins, only a small problem remains:
We want to allow access for only a subset of the AD users. These users are 
distinguished from the others by the following criterion (you don't want to 
know why):

if the AD attribute "Department" begins with the character "7", the user is 
allowed access, otherwise not.
So far I mapped "Department" as a checkItem to one of our Vendor-Specific 
attributes in ldap.attrmap and _wanted_ to do regexp matching in the users 
file for that Vendor-Specific attribute after authorize->ldap passed through.
DEFAULT Our-Vendor-Specific-Thing =~ [^7].*, Auth-Type := Reject

This doesn't work (sorry, no debug output available, not my machine). Now I 
wonder: is there another possibility to do regexp matching against items that 
are retrieved from AD or LDAP? Unfortunately just checking the attributes 
delivered by the NAS is not enough.


Stefan Winter


Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: stefan.winter at     tél.:     +352 424409-1               fax:      +352 422473

More information about the Freeradius-Users mailing list