Patrick Mackey
unread,Jun 17, 2024, 12:57:05 AMJun 17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Event-Driven Servers
tac_plus had an option where a user could specify which of their multiple groups they wanted by appending *groupname to their login.
This doesn't seem to be available on tac_plus-ng.
I'm looking for a solution where a user who logs in with username@admin (or similar), is assigned to an admin profile. Otherwise, they are assigned some default account.
Something similar like this:
ruleset {
rule admin {
enabled = yes
script {
if ( user =~ /@admin/ ) {
if (memberof =~ /^CN=AdminUsers,/) {
profile = admin
permit
}
if (memberof =~ /^CN=ReadUsers,/) {
profile = user
permit
}
}
}
}
I have two requirements:
1. The username suffix must be stripped before doing a external MAVIS lookup.
2. The rule test needs access to the original username as received from the NAS.
I can't find a way to meet both of these. Rewrite meets the first, but breaks the second. Also, any user rewrite in a MAVIS script does nothing and, according to the documentation, is not supported.
Is there a way to do achieve this?