Multivalued (LDAP) Attributes and string matching, or regexes
Alexander Clouter
alex at digriz.org.uk
Thu Jun 16 10:39:52 CEST 2011
Peter Lambrechtsen <plambrechtsen at gmail.com> wrote:
>
> I find the easist way to do it is to use a custom "users" file to allow /
> prevent access based on exact matches of LDAP attributes.
>
> then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
> reject.
>
> This is how we do it here:
>
> http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
>
Depending on how you have things set up locally and how you are trying
to skin this particular cat, but you could just use an LDAP filter to
get all this done and keep the logic out of FreeRADIUS (although I
probably would *not* recommend it):
----
filter = "(&(objectClass=Person)(employeeType=staff*)(!(employeeType=staff retired))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"
----
Means you get the effect as if the user did not even exist.
Just throwing another option out there...although I would recommend the
users file with a bunch of fall throughs personally.
Cheers
--
Alexander Clouter
.sigmonster says: All phone calls are obscene.
-- Karen Elizabeth Gordon
More information about the Freeradius-Users
mailing list