LDAP group check not working with SQL expansion
Klara Mall
klara.mall at kit.edu
Tue Jul 25 18:03:46 CEST 2017
Hi,
On Tue, Jul 25, 2017 at 12:18:01AM +0200, Klara Mall wrote:
> As you suggested I will open a GitHub issue. But are there any other
> suggestions for a workaround? Unfortunately I really need one. I thought
> about doing the group check more explicitly. Ist that possible somehow?
I've found a dirty workaround with an explicit LDAP lookup:
w2vgroupcheck {
if("%{Stripped-User-Domain}" =~ /^([^\.]+)\.w2v\.kit\.edu$/) {
# does realm exist?
if("%{sql:SELECT COUNT(*) FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}" > 0) {
update request {
Tmp-String-0 := "%{sql:SELECT group_name FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
Tmp-String-1 := "%{ldap:ldaps://ldap-1.xyz.kit.edu ldap-2.xyz.kit.edu/ou=unix,ou=IDM,dc=kit,dc=edu?memberUid?sub?(&(cn=%{Tmp-String-0})(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))}"
}
# is user in group according to realm?
if (&Tmp-String-1 != "") {
update reply {
Tunnel-Private-Group-Id := "%{sql:SELECT vlan_id FROM w2v WHERE vlan_name=regexp_replace('%{Stripped-User-Domain}', '\.w2v\.kit\.edu$', '')}"
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
}
else {
reject
}
}
else {
reject
}
}
}
Klara
More information about the Freeradius-Users
mailing list