Antw: Re: Attr-Rewrite and Users File
Anja Ruckdaeschel
Anja.Ruckdaeschel at rz.uni-regensburg.de
Wed Oct 7 15:19:07 CEST 2009
Dear Alan!
Thanks for your answer, but now it seems to work...
But it would be nice, if you can tell me, if there is a better way to do
this...
What I tried to do, was this:
I´m getting some profile-Information from a NAS embedded in some crytical
string in
the attribute Acct-Session-Id. To extract the profile name I do the
stripping....
If the user is member of an ldap-group which cn matches with the profile-name
the users should be
accepted, else rejected... The groups are all in the same ou, so the whole
group-dn is not needed....
If the profile name equals to "test_default" no ldap-group-check should be
done only the "normal" named bind...
The Auth-Request in this case is a simple one (no CHAP, MSCHAP, etc...)
So, what I tried in the first place was some kind of "variable" group cn in
the users file, but that didn´t work out as I posted earlier...
Now I did it with (in default, authorize section):
authorize {
...
if (Acct-Session-Id) {
if (Acct-Session-Id =~ /^[^\(]+([\(])([^\)]+).+$/ ) {
update request {
Acct-Session-Id := "%{2}"
}
}
}
...
if (User-Name =~ /^(\.*)([a-zA-Z]{3}[0-9]{5})/ && Huntgroup-Name == "test" )
{
if (Acct-Session-Id != "test_default") {
if (ldapgroups1-Ldap-Group ==
"cn=%{Acct-Session-Id},o=test,c=de" ) {
update control {
Auth-Type := LDAP
}
ok
}
else {
reject
}
}
#if it´s test_default, ignore ldap-group an do only the named bind
else {
update control {
Auth-Type := LDAP
}
}
}
....
if (Huntgroup-Name != "test" ) {
files
}
...
}
I have a lot of things in the users file, so it should be left out only in
this special case...
Thank you very much...
Anja
>>> Alan DeKok <aland at deployingradius.com> 02.10.2009 20:33 >>>
Anja Ruckdaeschel wrote:
> Now I did it with unlang in the authorize section before the files
module....
>
> if (Acct-Session-Id) {
> if (Acct-Session-Id =~ /^[^\(]+([\(])([^\)]+).+$/ ) {
>
> update request {
> ldapgroups1-Ldap-Group :=
"cn=%{2},ou=vpn,ou=test,o=test,c=de"
The "ldapgroups1-Ldap-Group" attribute can *only* do comparisons.
Assigning to it is not supported.
And even if assigning to it was supported, the LDAP-Group attribute
checks group *names*. It doesn't support LDAP queries like "cn=...,ou=..."
Perhaps you could try to describe what you are trying to do. Describe
it in terms of ideas, not pieces of configuration files. The
configuration pieces you posted are wrong, and won't work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list