Handle user belongs to 2 LDAP Groups
luckydog xf
luckydogxf at gmail.com
Fri Mar 30 09:37:42 CEST 2018
It seems the default is Accept in `post-auth` section unless you reject
it explicitly.
On Fri, Mar 30, 2018 at 3:01 PM, luckydog xf <luckydogxf at gmail.com> wrote:
> hi,
>
> A weird thing is that I use LDAP to auenticate Network devices and
> SuperMicro Server.
>
> Code talks, see below, SuperMicro presents its NAS IP as 127.0.0.1,while
> Network device isn't.
>
> ======== SECTION: post-auth =====================
>
> # Ref NO: 1
> if (&LDAP-Group == "network-2" && &NAS-IP-Address != "127.0.0.1") {
> update reply {
> &Service-Type = "NAS-Prompt-User",
> &Huawei-Exec-Privilege = "2",
> &Login-Service = 50,
>
> }
> }
>
> #Ref NO: 2
> if (&LDAP-Group == "mgmt-console" && &NAS-IP-Address == "127.0.0.1") {
> update reply {
>
> &Attr-26 = 0x483D342C20493D34
> }
> }
>
> #Ref No: 3
> else {
> update reply {
>
> &Reply-Message = "%{User-Name} is not allowed to access
> %{NAS-IP-Address}."
>
> }
>
> reject
> }
>
> ===================================================
>
> Apparently if user exists in both network-2 and mgmt-console groups of
> LDAP, the trick thing occurs.
>
> First, it's true of Ref No.1, the auth continues, then Ref NO.2 evaluates,
> while NAS isn't 127.0.0.1(I'm logging in network device), Ref No.2 isn't
> true, it comes to `else` , AKA Ref NO.3, user is denied by network device.
>
> Any way to handle this situation?
>
> I spend the whole day to do this, but no progress made yet.
>
> Thanks.
>
>
>
>
>
>
More information about the Freeradius-Users
mailing list