On 03/22/2011 06:15 PM, Robert Roll wrote:
This does seem to work differently than I thought..
Yeah, like I say: it's a virtual attribute that does the group search when you "compare" it.
My model was something like ntlm_auth, which allows an authentication, but one can also require membership in a group at the same time... i.e. ntlm_auth ... --require-membership-of={SID|Name}
Nope, different.
What I was really hoping is that I could look someone up in the directory in the user tree, but also then require they be in a particular group. The group would actually have a specific replyItem attribute that would return a VLAN if the user was part of the group... There are other ways of accomplishing this ....
I think you may want the LDAP "profiles" stuff? Or, use an xlat: update reply { Tunnel-Private-Group-Id = "%{ldap:<ldap query url here>}" } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html