Matching multiple LDAP-groups during post-auth
Braden McGrath
braden at big-geek.net
Wed Mar 31 01:56:17 CEST 2021
On Thu, Mar 25, 2021 at 9:01 AM Chris Wopat <me at falz.net> wrote:
[snipped]
> Note that this will do a single match and bail out of the if
> statement. What we'd like to do is to keep matching accumulatively.
> The use case is per above it's layer2/3 devices, we'd like to add some
> other types of gear to the list where someone in the above groups
> shouldnt have access to, but someone in network-administrators AND
> $othergroup should have access to.
>
> Per Unlang, it looks like there is a case/switch statement but I
> believe we'd be hitting the same limitation there.
>
> tldr; how can we match multiple LDAP-groups and get reply-items from
> all that match?
Chris,
Thank you for posting your snippet, as it was helpful for me to
develop a similar setup in my org. :)
I've been doing some reading on LDAP-Group, and from what I could
find, switch/case doesn't work with it.
I'm not entirely sure why, but I saw Alan explicitly tell someone else
to use if/elseif instead... that reply was also from several years
back, so maybe that's no longer accurate?
Have you considered using nested ifs to query twice for the
"network-admins AND $othergroup" scenario?
If you're concerned about LDAP load / query time, you can enable
caching in the ldap module; then the LDAP-Group list is saved and
lookups happen against the cache instead of being re-queried each time
you ask for it.
I'd suggest investigating the syntax "&LDAP-Group[*]" as it seems to
be preferred over just "LDAP-Group", as well.
Regards,
Braden
More information about the Freeradius-Users
mailing list