tac_plus-ng user selectable group on login
8 views
Skip to first unread message
Patrick Mackey
Jun 17, 2024, 12:57:05 AMJun 17
to Event-Driven Servers
tac_plus had an option where a user could specify which of their multiple groups they wanted by appending *groupname to their login.
This doesn't seem to be available on tac_plus-ng.
I'm looking for a solution where a user who logs in with username@admin (or similar), is assigned to an admin profile. Otherwise, they are assigned some default account.
Something similar like this:
ruleset {
rule admin {
enabled = yes
script {
if ( user =~ /@admin/ ) {
if (memberof =~ /^CN=AdminUsers,/) {
profile = admin
permit
}
if (memberof =~ /^CN=ReadUsers,/) {
profile = user
permit
}
}
}
}
I have two requirements:
1. The username suffix must be stripped before doing a external MAVIS lookup.
2. The rule test needs access to the original username as received from the NAS.
I can't find a way to meet both of these. Rewrite meets the first, but breaks the second. Also, any user rewrite in a MAVIS script does nothing and, according to the documentation, is not supported.
Is there a way to do achieve this?
Marc Huber
Jun 18, 2024, 9:30:01 AMJun 18
to event-driv...@googlegroups.com
Hi Patrick,
the latest commit adds "user.original", which (in combination with user
rewriting) should work for your use case (I actually didn't test that
code but I'm pretty sure it will work).
Cheers,
Marc
> Is there a way to do achieve this? --
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/6c51656a-6f20-4ffc-bb6b-d9586281cd7cn%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/6c51656a-6f20-4ffc-bb6b-d9586281cd7cn%40googlegroups.com?utm_medium=email&utm_source=footer>.
the latest commit adds "user.original", which (in combination with user
rewriting) should work for your use case (I actually didn't test that
code but I'm pretty sure it will work).
Cheers,
Marc
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/6c51656a-6f20-4ffc-bb6b-d9586281cd7cn%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/6c51656a-6f20-4ffc-bb6b-d9586281cd7cn%40googlegroups.com?utm_medium=email&utm_source=footer>.
Patrick Mackey
Jun 18, 2024, 6:46:40 PMJun 18
to Event-Driven Servers
Hi, Marc.
That works perfectly. Thanks so much for adding this in, you're a star!
Reply all
Reply to author
Forward
0 new messages