LDAP groups and how to filter

Daniel Oakes daniel at 2600hz.com
Wed Feb 12 00:53:00 CET 2020


Thanks that definitely got me a lot closer – but for some reason I’m not getting an expansion of the groups, so suspect that it’s probably something to do with the bind user:

0)   post-auth {
(0)     if ("%{control:LDAP-Group[*]}" =~ /operations/) {
(0)     EXPAND %{control:LDAP-Group[*]}
(0)        -->
(0)     if ("%{control:LDAP-Group[*]}" =~ /operations/)  -> FALSE
(0)     update {
(0)       No attributes updated
(0)     } # update = noop

And if I put the debug version, printing out all the groups I’m seeing nothing.

Suspect it’s all purely the LDAP config at this point, but authentication is working.

Cheers,
Daniel


From: uj2.hahn at posteo.de <uj2.hahn at posteo.de>
Date: Wednesday, 12 February 2020 at 9:07 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Freeradius-Users <freeradius-users-bounces+uj2.hahn=posteo.de at lists.freeradius.org>, Daniel Oakes <daniel at 2600hz.com>
Subject: Re: LDAP groups and how to filter
Hi, Daniel!
I think I understand what you want to achieve. Recently I implemented
something similar. Propably not the same
but maybe I can give you an idea :
Problem: Users in a school can be in more than one LDAP group (e.g. in
"student" group but in "blocked" group as well).
The default code in LDAP module get these groups and write them into
attribute LDAP-Group. Note this is not a simple scalar variable
but a list (or you can see it as stack). When you write  if (LDAP-Group
== "LDAP Group One") , than you compare the top element of LDAP-Group
only.
When you use LDAP-Group[*] instead you get ALL groups, concatenated into
a string.
So please see my code in post-auth section (sorry, comments are in
German):

if ("%{control:LDAP-Group[*]}" =~ /gesperrt/) {
         update reply {
                         Reply-Message := "Nutzer ist gesperrt!"
                        }
        reject
}
if ("%{control:LDAP-Group[*]}" =~ /schueler/) {
        if (Current-Time !=
"%{%{ldap:ldap:///cn=schueler,ou=groups,dc=kms,dc=de?radiusLoginTime}:-Any}")
{
           update reply {
                         Reply-Message := "Außerhalb der erlaubten
Zeit!"
                        }
           reject
        }
}
elsif ("%{control:LDAP-Group[*]}" =~ /lehrer/) {
        if (Current-Time !=
"%{%{ldap:ldap:///cn=lehrer,ou=groups,dc=kms,dc=de?radiusLoginTime}:-Any}")
{
           update reply {
                         Reply-Message := "Außerhalb der erlaubten
Zeit!"
                        }
           reject
        }
}
elsif ("%{control:LDAP-Group[*]}" =~ /gast/) {
        if (Current-Time !=
"%{%{ldap:ldap:///cn=gast,ou=groups,dc=kms,dc=de?radiusLoginTime}:-Any}")
{
           update reply {
                         Reply-Message := "Außerhalb der erlaubten
Zeit!"
                        }
           reject
        }
}
elsif (&User-Name == "RadiusClient") {
        noop
}
else {
          update reply {
                         Reply-Message := "Nutzer muss einer Gruppe
angehören (lehrer oder schueler oder gast)"
                        }
          reject

}


For debug purpose you can temporary use the Reply-Message to output all
groups:

         update reply {
                         Reply-Message := "%{control:LDAP-Group[*]}"
                        }


Does this help?

Regards
Uwe

Am 11.02.2020 02:56 schrieb Daniel Oakes:
> I actually thought this was framed reasonably well, but okay more
> specifics.
>
> It’s a fortigate – so I want to use Fortinet-Group-Name in post-auth.
>
> I would like to get all the groups that the user is a member of from
> LDAP, and I’m just going to use a very simple if statement in
> post-auth I know the syntax is wrong, just example) :
>
> if (LDAP-Group == "LDAP Group One") {
>        update reply FG group1
> if (LDAP-Group == "LDAP Group Two") {
>        update reply FG group 2
>
> And update the reply with the Fortinet-Group-Name.
>
> What I don't understand how to do, is to do the ldap bit for the
> groups so that it shows in the FreeRadius debug (using radiusd -X).  I
> want to see all the groups they may be a member of, so I can develop
> the logic further.
>
> Excuse me if this is the wrong way to go about it - I'm happy to go
> away and learn ldap, but thought there might be some gems that others
> have done previously.
>
> Regards,
> Daniel
>
>
>
> From: Freeradius-Users
> <freeradius-users-bounces+daniel=2600hz.com at lists.freeradius.org>
> Date: Tuesday, 11 February 2020 at 2:19 PM
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: LDAP groups and how to filter
> On Feb 10, 2020, at 5:23 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
>>
>> I've got FreeRadius working off a FreeIPA backend to try and sort some
>> issues with a firewall that won't filter on LDAP groups correctly.
>
>   Firewalls typically don't do LDAP group checking.  So what exactly
> are you trying to do?
>
>> I've got my queries working, but now want to use post-auth to update a
>> Group Name that the firewall will expect.
>
>   Does the firewall documentation say that it expects a group name?
> If so, which attribute?
>
>   You can't just send attributes in an Access-Accept and have the
> firewall "do the right thing".  RADIUS doesn't work like that.
> Attributes have pre-defined meaning.  If the firewall doesn't already
> know about an attribute, then it doesn't know what to do when it sees
> the attribute.
>
>> Just wondering how in debug mode I could print out to debug all the
>> groups that the user is a memberOf so I can write that logic.  Sorry
>> if this has been answered previously, I've not found an example, and
>> I'm not much of an LDAP person.
>
>   What *what* logic to do *what*?  Please be specific.
>
>   Vague questions get vague answers.  Detailed questions get detailed
> answers.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list