On 24 Jan 2012, at 08:23, NdK wrote:
> Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
>
>> But I reckon you could also do something like that in post-auth section
>> if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
>> update reply {
>> Tunnel-type = VLAN
>> Tunnel-medium-type = IEEE-802
>> Tunnel-Private-Group-Id = 1
>> }
>> }
> I think it could be possible to do the same using exec, a script and
> wbinfo... Just still don't know how.
> With
> for T in $(wbinfo --user-domgroups `wbinfo -n <ADusername>`) ; do
> wbinfo -s $T;
> done
> I can get all AD groups <ADusername> is into. Checking group membership
> would be even easier. But how do I set Tunnel-Private-Group-Id from an
> exec-ed script?
Just execute it using a backticks expansion, store the result in Tmp-String-0
then use regular expression matches over the result to figure out whether it
contains a certain group or not. You may hit the maximum internal string size
if the user is a member of lots of groups in which case the result would be
silently truncated (just something to watch for).
Honestly doing it with LDAP would probably be significantly easier and faster.
Exec is really quite slow...
IIRC the LDAP Module is actually smart enough to figure out whether you passed
in a DN as a group or just a groupname, so in theory if you have the filters
and search depth set correctly you can just use Ldap-Group == "mygroup".
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
