How to return Filter-ID attribute value for the users in Active Directory?
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jan 18 17:18:45 CET 2012
On 18/01/12 16:04, suggestme wrote:
> There are different users under Staff, Administrators, Retirees, etc in
> active directory as:
>
> OU=Staff OU=Administrators
> OU=Retirees
> CN=users CN=users
> CN=users
Ok, so you want to look at the "OU" in the DN.
The "ldap" module sets the value "Ldap-UserDN". You can match this. This
is easiest in "unlang". For example, in sites-enabled/<name>:
authorize {
...
ldap
# match the 2nd part of the DN with a regexp
# e.g.
# CN=foo,OU=bar,CN=com
if (Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) {
# store the regexp match in the control list
update control {
# This will be set to "bar"
Tmp-String-1 := "%{1}"
}
}
...
}
post-auth {
# now, read the value of Tmp-String-1
update reply {
Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}"
}
}
More information about the Freeradius-Users
mailing list