Matching Realms and Group-Membership
tnt at kalik.net
tnt at kalik.net
Thu Feb 5 23:20:57 CET 2009
>Now I want to implement a check, that verifies if a user authenticating with 10000 at realma.com is also in the group "realmA" and reject the request if this is not the case. This way I want to implement a "user X purchased product Y?"
>
>Already tried this: Adding in the radusergroup table:
>+------------------+-----------+-----------+
>| username | groupname | priority |
>+------------------+-----------+-----------+
>| 10000 at realmA.com | realmA | 10 |
>+------------------+-----------+-----------+
>
>And in the radgroupcheck table:
>+----+-----------+-----------+----+------------+
>| id | groupname | attribute | op | value |
>|----+-----------+-----------+----+------------+
>| 1 | realmA | Realm | != | realma.com |
>+----+-----------+-----------+----+------------+
>
>And finally in the radgroupreply table:
>+----+-----------+---------------+----+-----------------------+
>| id | groupname | attribute | op | value |
>+----+-----------+---------------+----+-----------------------+
>| 1 | realmA | Auth-Type | := | Reject |
>+----+-----------+---------------+----+-----------------------+
>
You do know that this doesn't do anything. If the password is linked to
username 10000 at realmA.com these group checks are pointless.
>And of course, my debug output says:
> rlm_realm: Adding Realm = "~^realmA.com$"
>
That shouldn't happen. realm suffix should return realmA.com as Realm
(without those regex things). Post the whole debug.
Ivan Kalik
Kalik Informatika ISP
More information about the Freeradius-Users
mailing list