LDAP groups and how to filter
Alan DeKok
aland at deployingradius.com
Tue Feb 11 02:19:09 CET 2020
On Feb 10, 2020, at 5:23 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
>
> I've got FreeRadius working off a FreeIPA backend to try and sort some issues with a firewall that won't filter on LDAP groups correctly.
Firewalls typically don't do LDAP group checking. So what exactly are you trying to do?
> I've got my queries working, but now want to use post-auth to update a Group Name that the firewall will expect.
Does the firewall documentation say that it expects a group name? If so, which attribute?
You can't just send attributes in an Access-Accept and have the firewall "do the right thing". RADIUS doesn't work like that. Attributes have pre-defined meaning. If the firewall doesn't already know about an attribute, then it doesn't know what to do when it sees the attribute.
> Just wondering how in debug mode I could print out to debug all the groups that the user is a memberOf so I can write that logic. Sorry if this has been answered previously, I've not found an example, and I'm not much of an LDAP person.
What *what* logic to do *what*? Please be specific.
Vague questions get vague answers. Detailed questions get detailed answers.
Alan DeKok.
More information about the Freeradius-Users
mailing list