Reject users based on LDAP attribute

Luo, Frank Y.F. Mr. luoy at muohio.edu
Thu May 17 15:56:20 CEST 2012


i have a similar situation

$ sudo grep Profile dictionary
ATTRIBUTE Profile 3000 string

$ sudo grep Profile ldap.attrmap
replyItem Profile VPN


$ more default
.....
post-auth {
if (Profile == g1) {
    update reply {
        class = "ou=g1;"
}
}

But in the log

# Executing section post-auth from file /opt/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++? if (Profile == g1)
    (Attribute Profile was not found)
? Evaluating (Profile == g1) -> FALSE
++? if (Profile == g1) -> FALSE


I also tried

If (reply:Profile == g1)

Any idea?

Thanks

Frank




On May 17, 2012, at 3:58 AM, C.F. Yeung wrote:

Thanks, it's working.

On Thu, May 17, 2012 at 3:22 PM, Phil Mayers <p.mayers at imperial.ac.uk<mailto:p.mayers at imperial.ac.uk>> wrote:
On 05/17/2012 06:54 AM, C.F. Yeung wrote:
We have 802.1x authentication via AD. It's okay. Now, we would like to
reject users based on LDAP attribute, WLANStatus. Added attribute in
dictionary and ldap.attrmap as follow. Where should I put the unlang?

/etc/raddb/dictionary
ATTRIBUTE My-Local-wlanStatus 3000 string

/etc/raddb/ldap.attrmap
replyItem My-Local-wlanStatus WLANStatus


It's a REPLY item, so this should be:

if (reply:My-Local-wlanStatus == A1) {
 ...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120517/12151546/attachment-0001.html>


More information about the Freeradius-Users mailing list