post-auth help to simplify
Alan DeKok
aland at deployingradius.com
Mon Aug 30 16:23:43 CEST 2021
On Aug 30, 2021, at 9:50 AM, Pizu <pizpower at gmail.com> wrote:
> Users have multiple groups but only 1 RSSO Group per user.
Then don't use LDAP-Group for this purpose. There are other ways of getting the same result which are more efficient.
Use the command-line "ldapsearch" tool to find an LDAP query which returns ONLY the RSSO group name for a user. In recent versions of the server, there's documentation in mods-available/ldap on how to translate the "ldapsearch" command-line options to the "ldap" module configuration.
Once you have the "ldapsearch" working, you can turn this into the FreeRADIUS configuration. Use the ldapsearch string in a dynamic expansion:
update control {
Tmp-String-0 := "%{ldap:... search for RSSO group}"
}
Now you have the name of the LDAP group in a variable.
if (Tmp-String-0 != "") {
update reply {
&Tunnel-Type := "VLAN"
&Tunnel-Medium-Type := "IEEE-802
&Tunnel-Private-Group-Id := "943
&Class := "%{Tmp-String-0}"
}
}
Alan DeKok.
More information about the Freeradius-Users
mailing list