Hi, On Thu, Sep 27, 2012 at 05:47:06PM +0000, David Aldwinckle wrote: > The problem with that is that I don't know how to get FreeRadius > to read the groups for an arbitrary user that is not %User-Name. > Can I copy another variable into the User-Name attribute in > Post-Auth, and then do the group check there?
Look at the filter option for the ldap module. You can set it to search for anything, not necessarily just User-Name. Use a second instantiation of the ldap module to do your locked user checks on the main LDAP server after you've first searched for User-Name on the guest LDAP server (and pulled back the local user's account name - see ldap.attrmap). Cheers, Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html