[strongSwan] local_ts based on user/group
Tobias Brunner
tobias at strongswan.org
Thu Oct 31 10:22:58 CET 2019
Hi Christian,
> How would that work? Because a user can be a member of one or more groups and thus how does strongswan select the connection with all the groups.
Since a single group match is currently enough to satisfy the group
constraint (there is also no "best"-match based on groups), you'll have
to assign unique groups to the users that have access to specific
networks. That is, groups for individual networks won't work (unless
members of such groups only have access to one network), you need groups
that allow access to combinations of networks. If you can't change the
original group assignment, you'll need to map them somehow, for
instance, write a plugin that implements the authorize hook and assign a
new group based on the ones already assigned. Alternatively, write a
plugin that implements the narrow hook and assigns traffic selectors
based on whatever strategy you like.
Regards,
Tobias
More information about the Users
mailing list