Checking ldap-group in post-auth instead of users file ?
Fred MAISON
fred.maison at gmail.com
Tue Jun 1 16:47:35 CEST 2010
Thanks, Alan.
It seems to work with the following :
in sites-enabled/default :
post-auth {
if ( EAP-Type == "Cisco-LEAP" ) {
if (!(Ldap-Group == wireless)) {
fail
}
}
.....
in sites-anabled/inner-tunnel :
post-auth {
if ( !(Ldap-Group == "wireless" )) {
fail
}
Le mardi 01 juin 2010 à 16:03 +0200, Alan DeKok a écrit :
> Fred MAISON wrote:
> > I surely misunderstand something : in my test :
> > User is found on ldap in group wireless, but (Ldap-Group != "wireless")
> > evaluates to TRUE ...
>
> Err.... that's fairly broken right now. Try:
>
> if (!(LDAP-Group == "wireless")) {
> ...
>
> The reasons for this nonsense are buried inside of the rlm_ldap module.
>
> As always, patches are welcome. :)
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list