On 24 Jan 2012, at 09:05, NdK wrote: > Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto: > >>> But how do I set Tunnel-Private-Group-Id from an >>> exec-ed script? >> Just execute it using a backticks expansion, store the result in >> Tmp-String-0 then use regular expression matches over the result to figure >> out whether it contains a certain group or not. You may hit the maximum >> internal string size if the user is a member of lots of groups in which case >> the result would be silently truncated (just something to watch for). > Urgh! So easy! :) > >> Honestly doing it with LDAP would probably be significantly easier and >> faster. Exec is really quite slow... > Surely. But in some setups it's not possible to browse AD as an ldap > server. At least w/o leaving around username and password. That's a > no-no, unless you can create "service users" (which we can't :( ). > But this way we can put users on different VLANs w/o problems :) >
Ah fair enough. Yes you do need a user to bind. > IIUC, post-auth exec should occour only once, right? > Yep. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
