attribute checking with AD

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

attribute checking with AD

Stefan Winter
Hello,

after having almost successfully set-up authorize {} and authenticate {}
section to do AD clear-text logins, only a small problem remains:
We want to allow access for only a subset of the AD users. These users are
distinguished from the others by the following criterion (you don't want to
know why):

if the AD attribute "Department" begins with the character "7", the user is
allowed access, otherwise not.
So far I mapped "Department" as a checkItem to one of our Vendor-Specific
attributes in ldap.attrmap and _wanted_ to do regexp matching in the users
file for that Vendor-Specific attribute after authorize->ldap passed through.
DEFAULT Our-Vendor-Specific-Thing =~ [^7].*, Auth-Type := Reject

This doesn't work (sorry, no debug output available, not my machine). Now I
wonder: is there another possibility to do regexp matching against items that
are retrieved from AD or LDAP? Unfortunately just checking the attributes
delivered by the NAS is not enough.

Greetings,

Stefan Winter

--
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [hidden email]     tél.:     +352 424409-1
http://www.restena.lu               fax:      +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: attribute checking with AD

Alan DeKok
Stefan Winter <[hidden email]> wrote:
> So far I mapped "Department" as a checkItem to one of our Vendor-Specific
> attributes in ldap.attrmap and _wanted_ to do regexp matching in the users
> file for that Vendor-Specific attribute after authorize->ldap passed through.
> DEFAULT Our-Vendor-Specific-Thing =~ [^7].*, Auth-Type := Reject

  The "users" file doesn't do comparisons to check items very well.

  In the CVS head, the policy module can do this.  You may be able to
back-port it to 1.0.x.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html