Ldap-Group DN and the match "=~" check
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jul 17 15:09:28 CEST 2006
Thibault Le Meur wrote:
> Hello,
>
> I've made a little test and found that the match operator "=~" doesn't work
> on my setup (Freeradius 1.0.4) for Groups defined as LDAP DNs.
>
> Indeed I'd like to to use the following rule (in the users file):
>
> DEFAULT Ldap-Group =~
> "cn=mygroupname,ou=(unit1|unit2|unit3),dc=mycorp,dc=org"
> Fall-Through = no
>
> This way, a unique rule will match 3 different groups having the same cn,
> but in different subtrees.
>
> Am I missing something or is this setup impossible with Ldap-Groups ?
You are missing something.
Ldap-Group is not a real attribute that's copied to the config items.
It's a "virtual" attribute. At runtime, the right-hand-side of the
comparison is searched for in the LDAP directory.
There's no way to do what you want currently. Source code changes and/or
clever use of the ldap xlat might do it (see doc/rlm_ldap)
More information about the Freeradius-Users
mailing list