Reject users based on LDAP attribute

C.F. Yeung yeungcf at gmail.com
Thu May 17 07:54:24 CEST 2012


We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?

/etc/raddb/dictionary
ATTRIBUTE       My-Local-wlanStatus     3000    string

/etc/raddb/ldap.attrmap
replyItem       My-Local-wlanStatus             WLANStatus

/etc/raddb/sites-available/default
authorize {
...
ldap
if (My-Local-wlanStatus == "A1") {
                reject
        }
        ...
}

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=student,o=example.com, with filter
(uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
rlm_ldap: WLANStatus -> My-Local-wlanStatus = "A1"
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (My-Local-wlanStatus == "A1")
    (Attribute My-Local-wlanStatus was not found)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120517/4b72a06d/attachment.html>


More information about the Freeradius-Users mailing list