ldap filter depending on NAS
Matthieu Lazaro
matthieu.lazaro at eservglobal.com
Wed Apr 22 10:43:36 CEST 2009
Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>> It all happens as if the "if () { ... } else { ... } " is completely
>> ignored
>> (and thus it defaults to check if the uid exists)
>>
>
> Yes.
>
>
>> (ie: neither filter1 nor filter2 appears when debugging.
>> But when we only put filter, it appears when debugging)
>>
>> I think I'm missing a lot of details in the configuration and I have not
>> figured out how to do this with hints|huntgroups|clients files.
>> Any help on why this is not working or an other simple solution is welcome.
>>
>
> You cannot dynamically change the module configuration. Those are
> static. The "unlang" policies can only go in the "authorize",
> "authenticate", etc. sections.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
OK. I have understood now why it was not working. However, this should
be clarified in http://freeradius.org/radiusd/man/unlang.html .
But I have good news, I have found the solution using the huntgroups
file and activating "groupmembership" in the LDAP module:
WIFI NAS-IP-Address == 10.1.1.2
Ldap-Group = WIFI_FR,
Ldap-Group = WIFI_ALL
VPN NAS-IP-Address == 10.1.1.3
Ldap-Group = VPN
Flexibility comes when modifying the groupmembership_attribute so that
you can use what ever you want in your LDAP.
Still I find a lot of points in Freeradius that are obscure because it's
not enough documented.
For example: filtering with more than on attribute in checkval ( MAC /
TUNNEL TYPE), sending orders to the NAS to change VLAN depending on the
user, etc...
Thanks for your help.
More information about the Freeradius-Users
mailing list