On 4 Jul 2013, at 18:33, Martin Kraus <lists...@wujiman.net> wrote:
> Hi.
> I'd like to give users an option to specify which network to connect to
> using something like
>
> helpdesk\username@realm
> admins\username@realm
>
> I was thinking of stripping the network part in hints and saving it in a
> variable say Preferred-Network and then match on it in users
>
> DEFAULT Ldap-Group="%{Preferred-Network}" User-Profile := "%{Profile-DN}"
>
That's missing a comma.
> Profile-DN would be matched to seeAlso in ldap.attr
You mean mapped?
Don't try and use the users file for complex stuff like this.
In your profile objects add an attribute for preferredNetwork.
Use ldap xlat to search in the directory for an profile object with a
preferredNetwork attribute which matches the stripped path of the username,
specify DN as the attribute to retrieve.
Something like:
authorize {
update control {
User-Profile := "%{ldap:ldap:///<base
dn>?DN?sub?prefferedNetwork=%{<your_preferred_network_attr>}}"
}
if (!control:User-Profile) {
reject # or whatever you want to do for this case
}
ldap
}
But even that's kinda slow. You might want to take a look at using the caching
module with %{<your_preferred_network_attr>} as the key.
Then at least you avoid the lookup for the profile DN every time.
If the ldap_xlat DN thing doesn't work (I think you can retrieve the DN using
the attribute list, but not 100%) I can add a hack to 3.0 for it. But you'll
need to upgrade.
-Arran
Arran Cudbard-Bell <a.cudba...@freeradius.org>
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
