> Now I'm trying to return different reply attributes
> depending on Active Directory group membership and restrict
> which groups can authenticate. Ldap lookups against the
> active directory root fail with operation error.
> Reconfiguring Active Directory is not a viable option so I
> have to specify an OU=xxxx in the query. I have configured
> two instances of the ldap module for authorisation, one to
> query the staff ou and the other to query the student ou.
> Both work OK for valid queries but if the user does not exist
> in the ou the server still authenticates the
> username/password and grants access if valid.
>
> You need to upgrade to 2.x and use unlang. See man unlang on
> freeradius site. You need something like:
>
> if Ldap-Group == staff { do something }
> elsif Ldap-Group == student { do something else} else update
> control { to reject }
>
I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
I can't do "if Ldap-Group" because there is no container in Active Directory
above staff and student to query.
What I think I need is:
if ladp_staff returns "ok" {
update reply{
..................
}
elsif ladp_student returns "ok" {
update reply{
..................
}
else {
Auth-Type := Reject
}
,where ldap_staff and ldap_student are instances of the ldap module
I simply can't get the syntax right.
Am I on the right track? If so, a little help please.
Regards,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
