Using NAS-Identifier with login criteria

Matthew Newton mcn4 at leicester.ac.uk
Sun Apr 12 15:30:27 CEST 2015


On Sun, Apr 12, 2015 at 09:15:12AM -0400, Brian Boere wrote:
> What is the benefit of the change to the Ldap-Group line?

You've got 

if (Ldap-Group != ...) {
 <success>
}
else {
 <failure>
}

but note your config actually says "!=" -> not equal.

It's to do with the way Ldap-Group works internally; it's not a
real attribute, and does a lookup at each use. The operator is
essentially taken as "==" each time.

I'd either do what Alan suggested (if (!(Ldap-Group == ...))), or
just change your "!=" to "==" - in the way you've written your
config, it should work the same.

But record what you've done now, so if changes don't work you can
go back to them.

The reason I'd fix it? If you upgrade later on to a version where
Ldap-Group and != _do_ work as written, your config will break at
that point. Better to make sure the logic looks correct now IMO.

> The version that I am using was installed from YAST2 on a SLES11
> machine.  I applied all of the updates through YAST and figured
> it was up to date. What is the best process to upgrade to 2.2.6?

Many distributions are seriously (and annoyingly) way out of date
with FreeRADIUS packages. You can build up-to-date SuSE packages
fairly easily which will have all the latest bug/security fixes
in. See

http://wiki.freeradius.org/building/Build#Building-SUSE-packages

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list