configuration for retrieving LDAP security group membership
Adam Thompson
athompson at uplogix.com
Tue Jan 17 18:22:07 CET 2017
Stefan,
I had to change it a little, but your suggestion works - I owe you a beer next time I'm in the UK.
Here's what I ended up with (for posterity):
post-auth {
if ("%{reply:Uplogix-JUNK[0]}" =~ /(.*),CN=Users,DC=doc,DC=uplogix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Uplogix-GROUP1 := "%{1}"
}
}
}
if ("%{reply:Uplogix-JUNK[1]}" =~ /(.*),CN=Users,DC=doc,DC=uplogix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Uplogix-GROUP2 := "%{1}"
}
}
}
if ("%{reply:Uplogix-JUNK[2]}" =~ /(.*),CN=Users,DC=doc,DC=uplogix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Uplogix-GROUP3 := "%{1}"
}
}
}
if ("%{reply:Uplogix-JUNK[3]}" =~ /(.*),CN=Users,DC=doc,DC=uplogix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Uplogix-GROUP4 := "%{1}"
}
}
}
if ("%{reply:Uplogix-JUNK[4]}" =~ /(.*),CN=Users,DC=doc,DC=uplogix,DC=com$/) {
if ("%{1}" =~ /CN=(.*)/) {
update reply {
Uplogix-GROUP5 := "%{1}"
}
}
}
update reply {
Uplogix-User-Groups := " %{reply:Uplogix-GROUP1} , %{reply:Uplogix-GROUP2} , %{reply:Uplogix-GROUP3} , %{reply:Uplogix-GROUP4} , %{reply:Uplogix-GROUP5}"
Uplogix-JUNK !* ANY
}
Cheers,
Adam
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+athompson=uplogix.com at lists.freeradius.org] On Behalf Of Stefan Paetow
Sent: Monday, January 16, 2017 2:08 PM
To: FreeRadius users mailing list
Subject: Re: configuration for retrieving LDAP security group membership
>post-auth {
> update reply {
> Uplogix-User-Groups := " %{reply:Uplogix-JUNK[0]} ,
>%{reply:Uplogix-JUNK[1]} , %{reply:Uplogix-JUNK[2]} ,
>%{reply:Uplogix-JUNK[3]} , %{reply:Uplogix-JUNK[4]} ,
>%{reply:Uplogix-JUNK[5]}"
> Uplogix-JUNK !* ANY
> }
>}
[8<]
>At first I thought I could use the !~ and =~, but it looks like those
>can only be used to evaluate, not to change the contents of the reply.
You use exactly those like this (MileageMayVaryTM):
if ("%{Uplogix-JUNK[0]}" =~ /(.*),DC=doc,DC=uplogix,DC=com$/) {
if ("%{1}" =~ /(.*),DC(.*)$/) {
update reply {
Uplogix-JUNK[0] := "%{1}"
}
}
}
:
:
:
FR3 has a lovely 'foreach' operator where you can loop through the entire array of Uplogix-JUNK and do this instead of a series of if statements...
With Regards
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list