post-auth help to simplify
Pizu
pizpower at gmail.com
Mon Aug 30 15:50:30 CEST 2021
Hi,
Thanks all for replying.
Users have multiple groups but only 1 RSSO Group per user.
Regards,
Pizu
On Mon, 30 Aug 2021 at 14:50, Alan DeKok <aland at deployingradius.com> wrote:
> On Aug 30, 2021, at 4:20 AM, Pizu <pizpower at gmail.com> wrote:
> > Currently we have the below in the post-auth and I would like to simplify
> > this.
> >
> > if (&LDAP-Group == "RSSO - Group - 01") {
> > update reply {
> > &Tunnel-Type := "VLAN"
> > &Tunnel-Medium-Type := "IEEE-802"
> > &Tunnel-Private-Group-Id := "943"
> > &Class := "RSSO-Group-01"
> > }
> > }
> > elsif (&LDAP-Group == " RSSO - Test - Group - 01 ") {
> > update Reply {
> > &Tunnel-Type := "VLAN"
> > &Tunnel-Medium-Type := "IEEE-802"
> > &Tunnel-Private-Group-Id := "943"
> > &Class := "RSSO-Test-Group-01"
> > }
> > }
> > etc...
>
> Yeah, that's a lot of repetition.
>
> > We have over 70 groups like this, the above is working but I'd like to
> > minimize the changes on the freeradius configuration and was thinking of
> > using regex but not sure if it's possible in my case.
>
> You can't use regexes for LDAP group matching. That's because the user
> may be in many groups, so there may be many matches to the regular
> expression.
>
> Plus, why set a string value for Class? The Class attribute is just an
> opaque token. You could just as easily set it to 0x01, or 0x02. There's
> no need to have a *printable* string.
>
> So the question is, are the users a member of only one LDAP group? If
> so, then there are potential simplifications. If the user is a member of
> multiple LDAP groups, then an if/then/else chain is really all you can do.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list