Authorization via getpwent (users coming via SSSD) (Freeradius-Users Digest, Vol 172, Issue 31)
Mike Ely
me at mikeely.org
Thu Aug 15 18:27:33 CEST 2019
On 8/14/19 12:46 PM, Alan DeKok wrote:
> Enable the "unix" module. Use the "Group" attribute, which does Unix group checking.
>
> if (Group == "sales") {
> reject
> }
> else if (Group == "engineering") {
> accept
> }
Thanks for that. Unfortunately it appears that this only works against
the primary group. Here's the stanza I have in sites-enabled/default:
if (Group == "ipmi") {
accept
}
else {
update reply {
Reply-Message = "User not allowed to connect to this
device"
}
reject
}
When trying to auth with a user who is very much part of the "ipmi" group:
(0) if (Group == "ipmi") {
(0) if (Group == "ipmi") -> FALSE
After switching the Group check to "Domain Users"
(0) if (Group == "Domain Users") {
(0) if (Group == "Domain Users") -> TRUE
Is there a known issue surrounding this and if so what if any workaround
should I be looking for?
More information about the Freeradius-Users
mailing list