Checking ldap-group in post-auth instead of users file ?

Fred MAISON fred.maison at gmail.com
Tue Jun 1 16:47:35 CEST 2010


Thanks, Alan.

It seems to work with the following :
in sites-enabled/default :
post-auth {
        if ( EAP-Type == "Cisco-LEAP" ) {
                if (!(Ldap-Group == wireless)) {
                        fail
        	}
	}
 .....


in sites-anabled/inner-tunnel :

post-auth {
        if ( !(Ldap-Group == "wireless" )) {
                fail
        } 


Le mardi 01 juin 2010 à 16:03 +0200, Alan DeKok a écrit :
> Fred MAISON wrote:
> > I surely misunderstand something : in my test :
> > User is found on ldap in group wireless, but (Ldap-Group != "wireless")
> > evaluates to TRUE ...
> 
>   Err.... that's fairly broken right now.  Try:
> 
> 	if (!(LDAP-Group == "wireless")) {
> 		...
> 
>   The reasons for this nonsense are buried inside of the rlm_ldap module.
> 
>   As always, patches are welcome. :)
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






More information about the Freeradius-Users mailing list