[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: post-auth help to simplify
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2021-08-30 14:23:43
Message-ID: 32F4592B-494F-4C64-A3F8-203C81BCBA83 () deployingradius ! com
[Download RAW message or body]

On Aug 30, 2021, at 9:50 AM, Pizu <pizpower@gmail.com> wrote:
> Users have multiple groups but only 1 RSSO Group per user.

  Then don't use LDAP-Group for this purpose.  There are other ways of getting the \
same result which are more efficient.

  Use the command-line "ldapsearch" tool to find an LDAP query which returns ONLY the \
RSSO group name for a user.  In recent versions of the server, there's documentation \
in mods-available/ldap on how to translate the "ldapsearch" command-line options to \
the "ldap" module configuration.

  Once you have the "ldapsearch" working, you can turn this into the FreeRADIUS \
configuration.  Use the ldapsearch string in a dynamic expansion:

	update control {
		Tmp-String-0 := "%{ldap:... search for RSSO group}"
	}

  Now you have the name of the LDAP group in a variable. 


  if (Tmp-String-0 != "") {
       update reply {
                      &Tunnel-Type := "VLAN"
                      &Tunnel-Medium-Type := "IEEE-802
                      &Tunnel-Private-Group-Id := "943
                      &Class := "%{Tmp-String-0}"
             }
  }

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]