I'm currently using AD to push different users in different roles. This I got working (yay)
As a next step I'd like to limit the number of mac-addresses any 1 user can register.
I use the following expression to accomplish that:
return
empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>8,
'visitor_name'=>$user['username'],
'sponsor_name'=>$user['username'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'12h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'role_id'=>8,
'mac'=>$mac,
'mac_auth'=>1,
'visitor_name'=>$user['displayname'],
'sponsor_name'=>$user['userprincipalname'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'24h',
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;
I'm setting the sponsoir_name to AD's userprinciplename to identify who actualy created the mac account.
The amigopodTechNoteAutoMACAuthAccount.pdf doc then explains to add a bit to limit the number of mac-accounts can be created by a single user. So I chaged the above role to:
return
(
($MAX_MAC_ACCOUNTS = 1)
&& (NwaRadiusLocalServer()->GetUserCount(array(
'sponsor_name' => strtolower(GetAttr('User-Name')),
'delete_time' => 0,
'mac_auth' => 1)
) >= $MAX_MAC_ACCOUNTS)
? (AccessReject() && 0) : 1
)
&& empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>8,
'visitor_name'=>$user['username'],
'sponsor_name'=>$user['username'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'12h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'role_id'=>8,
'mac'=>$mac,
'mac_auth'=>1,
'visitor_name'=>$user['displayname'],
'sponsor_name'=>$user['userprincipalname'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'24h',
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;
The example in the doc used "'sponsor_name' => strtolower(GetAttr('User-Name'))," which I honestly do not understand. Ok, it retrieves the user-name variable, changes it to lowercase .. but then what? Does this change the sponsor_name to this value? What does the => do?
Since I'm using AD and already filling sponsor-name with the userprincipalname I'm guessing the above code won't work? Simply replacing User-Name with userprincipalname didn't do much either.
My problem? The limit is simply ignored. Any ideas.