LDAP filter by OU Group

Albert K alberk at gmail.com
Fri Dec 9 02:10:17 CET 2016


Hi,

I still cannot get that to work. The radiusd seems to not be able to
evaluate the statement.  What else in not right here?  Thanks.


Wed Dec  7 05:45:12 2016 : Debug: (9)       if (&LDAP-UserDN =~
/,ou=hod,dc=mycompany,dc=com$/i) {
Wed Dec  7 05:45:12 2016 : ERROR: (9)       Failed retrieving values
required to evaluate condition
Wed Dec  7 05:45:12 2016 : Debug: (9)       else {
Wed Dec  7 05:45:12 2016 : Debug: (9)         update reply {
Wed Dec  7 05:45:12 2016 : Debug: (9)           &Tunnel-Type = VLAN
Wed Dec  7 05:45:12 2016 : Debug: (9)           &Tunnel-Medium-Type =
IEEE-802
Wed Dec  7 05:45:12 2016 : Debug: (9)           &Tunnel-Private-Group-Id =
"40"
Wed Dec  7 05:45:12 2016 : Debug: (9)         } # update reply = noop
Wed Dec  7 05:45:12 2016 : Debug: (9)       } # else = noop



LDAP Search

dn: CN=AL John,OU=HOD,DC=mycompany,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: AL John
sn: John
givenName: AL
distinguishedName: CN=AL John,OU=HOD,DC=mycompany,DC=com
instanceType: 4
whenCreated: 20161114092737.0Z
whenChanged: 20161208095249.0Z
displayName: AL John
uSNCreated: 24709
uSNChanged: 33392
name: AL John
objectGUID:: a10CMWI1m0+ENVS77ibeJA==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 131254645351788150
lastLogoff: 0
lastLogon: 131254645443226047
pwdLastSet: 131235892579628082
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAArDo7VXRW+jTSFI1mVAQAAA==
accountExpires: 9223372036854775807
logonCount: 3
sAMAccountName: ajohn
sAMAccountType: 805306368
userPrincipalName: ajohn at mycompany.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mycompany,DC=com
dSCorePropagationData: 20161208095249.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 131254582966146932

On Thu, Dec 8, 2016 at 7:07 PM, Brian Candler <b.candler at pobox.com> wrote:

> On 08/12/2016 07:56, Albert K wrote:
>
>> It is perfectly good and working if I filter by "Group name"  in my case
>> called "special" but I do not want to tag eveyone (quite a number of
>> users)
>> in the OU with another group just for wifi.
>>
>
> It sounds like you're not talking about group membership then, but the OU
> component of the user's DN?
>
> In that case, perhaps what you want is a regexp match on the DN:
>
>     if (&LDAP-UserDN =~ /,ou=foo,dc=example,dc=com$/i) {
>
> "$" matches end of string, and "i" means "case insensitive"
>
> HTH,
>
> Brian.
>
>


More information about the Freeradius-Users mailing list