Handle user belongs to 2 LDAP Groups
luckydog xf
luckydogxf at gmail.com
Fri Mar 30 09:01:54 CEST 2018
hi,
A weird thing is that I use LDAP to auenticate Network devices and
SuperMicro Server.
Code talks, see below, SuperMicro presents its NAS IP as 127.0.0.1,while
Network device isn't.
======== SECTION: post-auth =====================
# Ref NO: 1
if (&LDAP-Group == "network-2" && &NAS-IP-Address != "127.0.0.1") {
update reply {
&Service-Type = "NAS-Prompt-User",
&Huawei-Exec-Privilege = "2",
&Login-Service = 50,
}
}
#Ref NO: 2
if (&LDAP-Group == "mgmt-console" && &NAS-IP-Address == "127.0.0.1") {
update reply {
&Attr-26 = 0x483D342C20493D34
}
}
#Ref No: 3
else {
update reply {
&Reply-Message = "%{User-Name} is not allowed to access
%{NAS-IP-Address}."
}
reject
}
===================================================
Apparently if user exists in both network-2 and mgmt-console groups of
LDAP, the trick thing occurs.
First, it's true of Ref No.1, the auth continues, then Ref NO.2 evaluates,
while NAS isn't 127.0.0.1(I'm logging in network device), Ref No.2 isn't
true, it comes to `else` , AKA Ref NO.3, user is denied by network device.
Any way to handle this situation?
I spend the whole day to do this, but no progress made yet.
Thanks.
More information about the Freeradius-Users
mailing list