configuration for retrieving LDAP security group membership

Alan DeKok aland at deployingradius.com
Tue Jan 17 19:29:44 CET 2017


> On Jan 17, 2017, at 12:22 PM, Adam Thompson <athompson at uplogix.com> wrote:
> 
> Stefan,
> 
> I had to change it a little, but your suggestion works - I owe you a beer next time I'm in the UK. 
> 
> Here's what I ended up with (for posterity):
> 
> post-auth {
> 
> 
>                if ("%{reply:Uplogix-JUNK[0]}" =~ /(.*),CN=Users,DC=doc,DC=uplogix,DC=com$/) {
>                        if ("%{1}" =~ /CN=(.*)/) {

  You can simplify those two regular expressions into one:

	if "%{reply:Uplogix-JUNK[0]}" =~ /CN=([^,]+),CN=Users,DC=doc,DC=uplogix,DC=com$/) {

  The key is that ".*" also matches "CN=", which is *not* what you want.  So instead of ".*", you use an exclusion list.  The simplest is [^,]

  i.e. "match CN=, and then grab everything until the next comma".

  Alan DeKok.




More information about the Freeradius-Users mailing list