Regex Ldap Group
Kolbjørn Barmen
kolbjorn.barmen at uninett.no
Tue Feb 19 11:07:22 CET 2008
On Tue, 19 Feb 2008, Alan DeKok wrote:
> Rohaizam Abu Bakar wrote:
> > I tried to do regex match in Ldap-Group. From below users file, The
> > "NAS-Identifier" regex works OK but for Ldap-Group match, it's not
> > working as below DEBUG log.
>
> It doesn't work like that. The match is "IF the user is in the named
> group". See src/modules/rlm_ldap/rlm_ldap.c, function ldap_groupcmp().
>
> If you want it to do a regex match, you'll have to modify the code in
> rlm_ldap.
Also not that LDAP typically doesnt allow substring search on any given
attribute.
My solution is to use a seperate script to perform a search in LDAP using
ldap-search and output whatever you need in the attribute.
Example, I have LDAP users in either ou=group1,ou=test,o=bla, or
ou=group2,ou=test,o=bla, and there are no other LDAP-attributes to grab:
----
#! /bin/sh
# /usr/sbin/ldap2vlan
GROUP=$(ldapsearch -x -LLL -h 10.0.0.92 -b ou=test,o=bla \
-D cn=admin,ou=test,o=bla -W mypasswd \
'(cn='${1}')' dn | sed -n 's/,ou=test,o=bla//;s/.*=//p')
test "${GROUP" = "group1" && echo -n 110 && exit 0
test "${GROUP" = "group2" && echo -n 120 && exit 0
----
And then in the users file I have
DEFAULT Freeradius-Proxied-To == 127.0.0.1
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = `%{exec:/usr/sbin/ldap2vlan %{User-Name}`
Tunnel-Private-Group-Id will then either be "110" or "120" depending on
whether user is found in group1 or group2 (and group1 if found in both)
Hope this helps... :)
--
Kolbjørn Barmen
UNINETT Driftsenter
More information about the Freeradius-Users
mailing list