Hi Brian, Picking this outstanding action. I tried "reject" before, and it is a problem. The startup comes with: /etc/freeradius/3.0/sites-enabled/default[85]: Failed to find "reject" as a module or policy. /etc/freeradius/3.0/sites-enabled/default[85]: Please verify that the configuration exists in /etc/freeradius/3.0/mods-enabled/reject. /etc/freeradius/3.0/sites-enabled/default[85]: Failed to parse "reject" entry. Also, the simple '==' doesn't work either, and that's why the loop is there. It is coming back with during authentication: (0) if (&control:ldap-LDAP-Group[*] == "CN=Radius_ReadOnly_Group,DC=Groups,DC=abc,DC=abc") { (0) ERROR: Failed retrieving values required to evaluate condition Configured condition is: if (&control:ldap-LDAP-Group[*] == "CN=Radius_ReadOnly_Group,DC=Groups,DC=abc,DC=abc") { update reply { Fortinet-Group-Name := "ro_group" Juniper-Local-User-Name := "ro_role" Reply-Message := "Authorized as RO user" } update control { Auth-Type := Accept } } Best regards Matvey Teplov ________________________________ From: Brian Julin <BJulin@clarku.edu> Sent: 22 May 2025 19:03 To: Matvey Teplov <matvey.teplov@nomios.nl>; freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org> Subject: Re: [EXT] Fetching memberOf attribute Matvey Teplov <matvey.teplov@nomios.nl> wrote:
The LDAP queries are happening in the authorize section after the proxy call (sites-available/default) and will yield a list of groups in the control:ldap-LDAP-Group attribute: So, when you will be getting it in the post-auth section, you can go over it with the foreach loop:
foreach &control:ldap-LDAP-Group { if ("%{Foreach-Variable-0}" == "CN=Radius_ReadOnly_Group,DC=Groups,DC=abc,DC=abc") {
You should not have to do a for loop, I do not think. With a splatted array attribute, "==" is magic and just checks if any one element is equal, just splat the attribute with an index of [*] if (&control:ldap-LDAP-Group[*] == "whatever") { }
The problem I still have is how to send the Reject back if the loop conditions are not met, because before I go into it, I set Reject explicitly:
Off the top of my head, try using the "reject" keyword instead of manipulating Auth-Type, after you have determined no group has been found. something like: if (reply:Reply-Message == "Unauthorized - No Group found") { reject } ...or if your list is short, just in the last else in a bunch of nested if/else clauses.