Global User Blacklist
David Aldwinckle
daldwinc at uwaterloo.ca
Tue Jul 31 14:47:48 CEST 2012
Hi Phil,
I tried a test where I commented out "ldap" from the inner tunnel and it appears that you are correct.
I had thought that I would need to "load" the module for the LDAP-Group to be populated.
Anyway, thanks for the tip!
Dave
On 2012-07-31, at 8:41 AM, Phil Mayers <p.mayers at imperial.ac.uk>
wrote:
> On 31/07/12 13:26, David Aldwinckle wrote:
>> Hello,
>>
>> I figure that other people might benefit from this too, so...
>>
>> I was correct in my previous message. I added ldap to the authorize
>> section of the inner tunnel, and did the group checking in the
>> post-auth of the default server and everything worked wonderfully.
>
> This isn't working for the reasons you seem to think.
>
> The syntax:
>
> if (Ldap-Group == xx)
>
> ...performs a dynamic search against the LDAP directory for the user & group membership.
>
> If you're doing this in the "default" post-auth, you're running LDAP twice - once in the "inner-tunnel" authorize section, and once in the "default" post-auth.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list