diff options
| author | jim-p <jimp@pfsense.org> | 2015-08-12 12:07:15 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2015-08-12 12:10:46 -0400 |
| commit | 709c2f99f1bf99022ee8ba670cfd8025e2c71592 (patch) | |
| tree | fde3ebe661cc80e526944be6dbebd2fe051b1c24 /etc/inc/priv.inc | |
| parent | 24850bca184ba103fad984da638fe7252071d1af (diff) | |
| download | pfsense-709c2f99f1bf99022ee8ba670cfd8025e2c71592.zip pfsense-709c2f99f1bf99022ee8ba670cfd8025e2c71592.tar.gz | |
Fix GUI auth from RADIUS to grab group names from the Class attribute. Implements #935
The RADIUS server must populate the Class attribute with a string, semicolon-separated, of user groups. Similar to LDAP, local groups must exist with matching names, and privileges are determined by the local matching groups.
Diffstat (limited to 'etc/inc/priv.inc')
| -rw-r--r-- | etc/inc/priv.inc | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc index c6b244f..e6fa96f 100644 --- a/etc/inc/priv.inc +++ b/etc/inc/priv.inc @@ -240,7 +240,7 @@ function getPrivPages(& $entry, & $allowed_pages) { } } -function getAllowedPages($username) { +function getAllowedPages($username, &$attributes = array()) { global $config, $_SESSION; if (!function_exists("ldap_connect")) @@ -251,8 +251,11 @@ function getAllowedPages($username) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); // obtain ldap groups if we are in ldap mode - if ($authcfg['type'] == "ldap") + if ($authcfg['type'] == "ldap") { $allowed_groups = @ldap_get_groups($username, $authcfg); + } elseif ($authcfg['type'] == "radius") { + $allowed_groups = @radius_get_groups($attributes); + } if (!$allowed_groups) { // search for a local user by name |
