avoiding ldap access in authorize
Fred
fred.maison at gmail.com
Thu Sep 29 12:03:39 CEST 2011
Hi all,
When using ldap with freeradius, radiusGroupName attributes can be
retrived during execution of ldap module.
groupname_attribute = "radiusGroupName"
groupmembership_filter =
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusProfile))"
groupmembership_attribute = "radiusGroupName"
On debug, we can see :
[ldap.nsslab] userPassword -> Password-With-Header ==
"{SSHA}MLRh2CQVi/UeANla4BjafYcB47FlMzRt"
[ldap.nsslab] sambaNtPassword -> NT-Password ==
0x3841414442424130303546464439454435354434374332433332434641303433
[ldap.nsslab] sambaLmPassword -> LM-Password ==
0x3238353536413643394433433936434244373437433744423436454232453738
[ldap.nsslab] radiusGroupName -> Ldap-Group == "AdminRW"
[ldap.nsslab] radiusGroupName -> Ldap-Group == "wifi"
[ldap.nsslab] radiusGroupName -> Ldap-Group == "wifipartners"
[ldap.nsslab] radiusGroupName -> Ldap-Group == "VpnSSL"
If I want to test those values, i used to to something like :
if ( Ldap-Group == "AdminRW ) { do something }
This makes a new ldap access to be done by the server for an array
attribute which has already been retrieved by server.
Is there any other way to check those (already retrieved values)
without making a new ldap call because of Ldap-Group == "xxx"
conditional ?
Best regards,
Fred
More information about the Freeradius-Users
mailing list