LDAP filter by OU Group
Brian Candler
b.candler at pobox.com
Thu Dec 8 10:45:41 CET 2016
On 08/12/2016 02:57, Albert K wrote:
> ldap
>
> if (LDAP-Group == "OU=hod,,dc=mycompay,dc=com") {
>
> update reply {
Apart from the problem with two commas which has already been reported:
1. LDAP-Group is a "magic" attribute, dynamically expanded when you
reference it. It does not work unless you use the new "&" notation -
i.e. &LDAP-Group. It will silently expand to empty if you omit "&".
(That is, unless you have set "cacheable_dn = yes" in which case the
group memberships are queried up-front and stored as real AV-pairs; but
even then, including the "&" does not hurt and is a good idea)
2. It's multi-valued, so you need "[*]" to check if any value matches:
if (&LDAP-Group[*] == "OU=hod,dc=mycompany,dc=com") {
3. I'm pretty sure that user-defined groups in Active Directory have CN
as the group name, and appear under the 'Users' tree. So it would most
likely look like:
if (&LDAP-Group[*] == "cn=Staff,cn=Users,dc=mycompany,dc=com") {
At this point you can get better information from running freeradius in
debugging mode (radiusd -X or freeradiusd -X in the foreground).
HTH,
Brian.
More information about the Freeradius-Users
mailing list