For an 802.1x authentication radius first asks an ad server to get
information about a specific machine account. If this account belongs to
a certain group,
the users file is consulted to check, which vlan the account gets assigned.
In radiusd.conf I set the groupname_attribute in the the ldap section:
groupname_attribute = "primaryGroupID"
This works with a user file and entries like this without problems:
DEFAULT Ldap-Group == "515", Auth-Type := Accept
Framed-Type = Framed,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID = Core1
For some reason I want the operator here not to be ==, but >=
and change the entry to:
DEFAULT Ldap-Group >= "500", Auth-Type := Accept
Framed-Type = Framed,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID = Core1,
Fall-Through = no
In this case I get:
rlm_ldap::groupcmp: Group 500 not found ????or user not a member
Further digging in radiusd -AX's output unveiles the reason:
rlm_ldap: performing search in dc=MYDOM,dc=NET, with filter
(&(primaryGroupID=500)(|(&(objectClass=GroupOfNames)(member=CN=MC
The search here is done with "=": primaryGroupID=500
Is there any way to honor the operator >= in the users file in this case
without modifying the source code?
Thanks
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
