Group checking in ldap authorization
Phil Mayers
p.mayers at imperial.ac.uk
Wed Mar 23 10:14:03 CET 2011
On 03/22/2011 06:15 PM, Robert Roll wrote:
> This does seem to work differently than I thought..
>
Yeah, like I say: it's a virtual attribute that does the group search
when you "compare" it.
> My model was something like ntlm_auth, which allows an authentication,
> but one can also require membership in a group at the same time...
>
> i.e. ntlm_auth ... --require-membership-of={SID|Name}
>
Nope, different.
> What I was really hoping is that I could look someone up in the
> directory in the user tree, but also then require they be in a
> particular group. The group would actually have a specific
> replyItem attribute that would return a VLAN if the user
> was part of the group...
>
> There are other ways of accomplishing this ....
I think you may want the LDAP "profiles" stuff?
Or, use an xlat:
update reply {
Tunnel-Private-Group-Id = "%{ldap:<ldap query url here>}"
}
More information about the Freeradius-Users
mailing list