Handle user belongs to 2 LDAP Groups
Alan Buxey
alan.buxey at gmail.com
Fri Mar 30 11:48:23 CEST 2018
things dont just stop after each if statement - its all fall-through -
but in post-auth you've already auth'd , you need to either be messing
with control
or do this in the normal auth phase instead
On 30 March 2018 at 08:37, luckydog xf <luckydogxf at gmail.com> wrote:
> It seems the default is Accept in `post-auth` section unless you reject
> it explicitly.
>
>
>
> On Fri, Mar 30, 2018 at 3:01 PM, luckydog xf <luckydogxf at gmail.com> wrote:
>
>> hi,
>>
>> A weird thing is that I use LDAP to auenticate Network devices and
>> SuperMicro Server.
>>
>> Code talks, see below, SuperMicro presents its NAS IP as 127.0.0.1,while
>> Network device isn't.
>>
>> ======== SECTION: post-auth =====================
>>
>> # Ref NO: 1
>> if (&LDAP-Group == "network-2" && &NAS-IP-Address != "127.0.0.1") {
>> update reply {
>> &Service-Type = "NAS-Prompt-User",
>> &Huawei-Exec-Privilege = "2",
>> &Login-Service = 50,
>>
>> }
>> }
>>
>> #Ref NO: 2
>> if (&LDAP-Group == "mgmt-console" && &NAS-IP-Address == "127.0.0.1") {
>> update reply {
>>
>> &Attr-26 = 0x483D342C20493D34
>> }
>> }
>>
>> #Ref No: 3
>> else {
>> update reply {
>>
>> &Reply-Message = "%{User-Name} is not allowed to access
>> %{NAS-IP-Address}."
>>
>> }
>>
>> reject
>> }
>>
>> ===================================================
>>
>> Apparently if user exists in both network-2 and mgmt-console groups of
>> LDAP, the trick thing occurs.
>>
>> First, it's true of Ref No.1, the auth continues, then Ref NO.2 evaluates,
>> while NAS isn't 127.0.0.1(I'm logging in network device), Ref No.2 isn't
>> true, it comes to `else` , AKA Ref NO.3, user is denied by network device.
>>
>> Any way to handle this situation?
>>
>> I spend the whole day to do this, but no progress made yet.
>>
>> Thanks.
>>
>>
>>
>>
>>
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list