LDAP Group assign to vlan after AD user authentication
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Jan 24 12:15:35 CET 2012
On 24 Jan 2012, at 09:05, NdK wrote:
> Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto:
>
>>> But how do I set Tunnel-Private-Group-Id from an
>>> exec-ed script?
>> Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for).
> Urgh! So easy! :)
>
>> Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow...
> Surely. But in some setups it's not possible to browse AD as an ldap
> server. At least w/o leaving around username and password. That's a
> no-no, unless you can create "service users" (which we can't :( ).
> But this way we can put users on different VLANs w/o problems :)
>
Ah fair enough. Yes you do need a user to bind.
> IIUC, post-auth exec should occour only once, right?
>
Yep.
-Arran
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
More information about the Freeradius-Users
mailing list