Matching multiple LDAP-groups during post-auth
Chris Wopat
me at falz.net
Wed May 19 20:40:01 CEST 2021
On Wed, May 19, 2021 at 10:31 AM Alan DeKok <aland at deployingradius.com> wrote:
>
> On May 19, 2021, at 9:48 AM, Chris Wopat <me at falz.net> wrote:
> > Below is a
> > snippet when one is a member of 'network*' group but not 'optical*'
> > group (omitted the network* stuff)
>
> Post the FULL debug output. This should be your default.
>
> You're asking us to help debug things, but only giving a tiny bit of the output. That is very much unhelpful.
Agree in hindsight.
> > I feel as though there's a much simpler answer to both of those, but I
> > can't see the forest for the trees.
>
> Post the FULL debug output.
Here's the debug of a failed auth where this user was a part of
"network-administrators" but not of "optical-*":
* http://pastebin.falz.net/1899174
Here's the post-auth section, which I'm also posting in-line in this email.
* http://pastebin.falz.net/1899176
post-auth {
if (LDAP-Group == "network-administrators") {
update reply {
cisco-avpair = "shell:priv-lvl=15",
Service-Type = "6",
Juniper-Local-User-Name = "superuser",
PaloAlto-Admin-Role = "superuser",
}
}
elsif (LDAP-Group == "network-users") {
update reply {
cisco-avpair = "shell:priv-lvl=1",
Juniper-Local-User-Name = "op",
PaloAlto-Admin-Role = "devicereader",
}
}
elsif (LDAP-Group == "network-cpe-administrators") {
update reply {
cisco-avpair = "shell:priv-lvl=15",
Service-Type = "6",
}
}
else {
update reply {
Local-Reject-Check += "No matching network"
}
}
if (LDAP-Group == "optical-administrators") {
update reply {
Ciena-User-Privilege = "super",
Infinera-User-Priv-NA = "NA-PRIVILEGED",
#<snip more Infinera-User-stuff>
Infinera-User-Category = "administrator"
}
}
elsif (LDAP-Group == "optical-users") {
update reply {
Ciena-User-Privilege = "limited"
}
}
else {
update reply {
Local-Reject-Check += "No matching optical"
}
}
if (&reply:Local-Reject-Check) {
reject
}
Thanks for taking a look!
--Chris
More information about the Freeradius-Users
mailing list