Matching multiple LDAP-groups during post-auth

Michael Schwartzkopff ms at sys4.de
Wed Mar 31 09:13:40 CEST 2021


On 31.03.21 01:56, Braden McGrath via Freeradius-Users wrote:
> On Thu, Mar 25, 2021 at 9:01 AM Chris Wopat <me at falz.net> wrote:
> [snipped]
>> Note that this will do a single match and bail out of the if
>> statement. What we'd like to do is to keep matching accumulatively.
>> The use case is per above it's layer2/3 devices, we'd like to add some
>> other types of gear to the list where someone in the above groups
>> shouldnt have access to, but someone in network-administrators AND
>> $othergroup should have access to.
>>
>> Per Unlang, it looks like there is a case/switch statement but I
>> believe we'd be hitting the same limitation there.
>>
>> tldr; how can we match multiple LDAP-groups and get reply-items from
>> all that match?
> Chris,
> Thank you for posting your snippet, as it was helpful for me to
> develop a similar setup in my org. :)
> I've been doing some reading on LDAP-Group, and from what I could
> find, switch/case doesn't work with it.
> I'm not entirely sure why, but I saw Alan explicitly tell someone else
> to use if/elseif instead... that reply was also from several years
> back, so maybe that's no longer accurate?
>
> Have you considered using nested ifs to query twice for the
> "network-admins AND $othergroup" scenario?
> If you're concerned about LDAP load / query time, you can enable
> caching in the ldap module; then the LDAP-Group list is saved and
> lookups happen against the cache instead of being re-queried each time
> you ask for it.
>
> I'd suggest investigating the syntax "&LDAP-Group[*]" as it seems to
> be preferred over just "LDAP-Group", as well.
>
> Regards,
> Braden
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


If the user is member of multiple groups, the LDAP-Group is a
Attribute-List (=Array).

see the man pages of unlang.

I used LDAP-Group array checks to select VPN connections. Please see

https://blog.sys4.de/strongswan-vpn-based-on-groups-en.html

for my solution. Hope my ideas can help you.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Freeradius-Users mailing list