Matvey Teplov <matvey.teplov@nomios.nl> wrote:
The LDAP queries are happening in the authorize section after the proxy call (sites-available/default) and will yield a list of groups in the control:ldap-LDAP-Group attribute: So, when you will be getting it in the post-auth section, you can go over it with the foreach loop:
foreach &control:ldap-LDAP-Group { if ("%{Foreach-Variable-0}" == "CN=Radius_ReadOnly_Group,DC=Groups,DC=abc,DC=abc") {
You should not have to do a for loop, I do not think. With a splatted array attribute, "==" is magic and just checks if any one element is equal, just splat the attribute with an index of [*] if (&control:ldap-LDAP-Group[*] == "whatever") { }
The problem I still have is how to send the Reject back if the loop conditions are not met, because before I go into it, I set Reject explicitly:
Off the top of my head, try using the "reject" keyword instead of manipulating Auth-Type, after you have determined no group has been found. something like: if (reply:Reply-Message == "Unauthorized - No Group found") { reject } ...or if your list is short, just in the last else in a bunch of nested if/else clauses.