Handle user belongs to 2 LDAP Groups

luckydog xf luckydogxf at gmail.com
Fri Mar 30 09:01:54 CEST 2018


A weird thing is that I use LDAP to auenticate Network devices and
SuperMicro Server.

Code talks, see below, SuperMicro presents its NAS IP as,while
Network device isn't.

========  SECTION: post-auth  =====================

# Ref NO: 1
if (&LDAP-Group == "network-2" && &NAS-IP-Address != "") {
        update reply {
                &Service-Type = "NAS-Prompt-User",
                &Huawei-Exec-Privilege = "2",
                &Login-Service = 50,


#Ref NO: 2
if (&LDAP-Group == "mgmt-console" &&  &NAS-IP-Address == "") {
        update reply {

                &Attr-26 = 0x483D342C20493D34

#Ref No: 3
else {
        update reply {

        &Reply-Message = "%{User-Name} is not allowed to access




Apparently if user exists in both network-2 and mgmt-console groups of
LDAP, the trick thing occurs.

First, it's true of Ref No.1, the auth continues, then Ref NO.2 evaluates,
while NAS isn't'm logging in network device), Ref No.2 isn't
true, it comes to `else` , AKA Ref NO.3, user is denied by network device.

Any way to handle this situation?

I spend the whole day to do this, but no progress made yet.


More information about the Freeradius-Users mailing list