Dell PowerConnect W Clearpass 100 Software External Authentication Servers Sof - Page 13

NOTE NOTE • Select the authorization method Use PHP code to assign a user role (Advanced) and use the following code: if (in_array('CN=Domain Admins,CN=Users,DC=amigopod,DC=local', $user['memberof'])) return 4; if (in_array('CN=Users,CN=Builtin,DC=amigopod,DC=local', $user['memberof'])) return 5; return false; Explanation: During user authorization, the 'memberOf' attribute of the user (which will contain a list of the groups to which the user belongs) is checked against the defined rules, and an appropriate role ID is returned. If no match is found, false is returned, which means that authorization fails and the user's Access-Request will be rejected. The in_array() comparison is done in a case-sensitive manner. Be sure to use the correct case as returned by the LDAP query for the group name. Also note that the complete distinguished name (DN) for the group must be specified, as this is the value checked for in the array of values returned for the 'memberOf' attribute. The primary group of a user assigned in Active Directory cannot be checked in this way, as Active Directory does not return the primary group in the values of the 'memberOf' attribute. You can build logic that uses the $user['primarygroupid'] property instead to work around this issue. Amigopod |Technical Note External Authentication Servers |13