Matching multiple LDAP-groups during post-auth

[Alan DeKok]

On May 19, 2021, at 2:40 PM, Chris Wopat <me at falz.net> wrote:
> Here's the debug of a failed auth where this user was a part of
> "network-administrators" but not of "optical-*":
> 
> * http://pastebin.falz.net/1899174

...
	 (1)     if (LDAP-Group == "network-administrators")  -> TRUE

  Good...

	(1)     ... skipping elsif: Preceding "if" was taken
	(1)     ... skipping elsif: Preceding "if" was taken
	(1)     ... skipping else: Preceding "if" was taken
	(1)     if (LDAP-Group == "optical-administrators") {

  Hm... not good.

	TLSMC: MozNSS compatibility interception begins.
	tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
	tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
	TLSMC: MozNSS compatibility interception ends.

  libldap is using the horrible RedHat "NSS" library which pretends to be OpenSSL, and gets it wrong.  It might work, but it definitely won't work if you're doing EAP-TLS.

	 (1)     elsif (LDAP-Group == "optical-users")  -> FALSE
	(1)     else {
	(1)       update reply {
	((1)         Local-Reject-Check += "No matching optical"

  The rules check for:

	if member of network-admin
		ok
	else
		reject

	AND SEPARATELY

	if member of optical-admin
		ok
	else
		reject

  The first test passes, the second doesn't.  That's why it's rejecting.

> Here's the post-auth section, which I'm also posting in-line in this email.

  The description you posted says that the user should match both a network group and an optical group.  That's what the rules do.

  So the question is, what do you want it to do?  Write it down in plain english.  And it should then be possible to translate it to "unlang".

  Alan DeKok.