Matching Realms and Group-Membership
Robert Borz
robert.borz at web.de
Thu Feb 5 20:43:10 CET 2009
Hi,
I've successfully set up freeradius and till now it is doing what I want - checking realms and prefixes and uses a postgres database backend. ;)
Now I want to implement a check, that verifies if a user authenticating with 10000 at realma.com is also in the group "realmA" and reject the request if this is not the case. This way I want to implement a "user X purchased product Y?"
Already tried this: Adding in the radusergroup table:
+------------------+-----------+-----------+
| username | groupname | priority |
+------------------+-----------+-----------+
| 10000 at realmA.com | realmA | 10 |
+------------------+-----------+-----------+
And in the radgroupcheck table:
+----+-----------+-----------+----+------------+
| id | groupname | attribute | op | value |
|----+-----------+-----------+----+------------+
| 1 | realmA | Realm | != | realma.com |
+----+-----------+-----------+----+------------+
And finally in the radgroupreply table:
+----+-----------+---------------+----+-----------------------+
| id | groupname | attribute | op | value |
+----+-----------+---------------+----+-----------------------+
| 1 | realmA | Auth-Type | := | Reject |
+----+-----------+---------------+----+-----------------------+
And of course, my debug output says:
rlm_realm: Adding Realm = "~^realmA.com$"
I also tried adding "~^realmA.com$" as value in the radgroupcheck table with no success.
I thought to already understood this concept... but adding "Auth-Type := Reject" in the radgroupcheck table works?!
My expression in radgroupcheck also works - I verified this by adding "Reply-Message += Is this working?" within radgroupreply and the reply-message is added to the response.
If anybody could assist me with this or just give me a hint it'd be great!
Regards,
Robert Borz.
More information about the Freeradius-Users
mailing list