Replies inline... On Fri, Apr 22, 2022 at 8:21 AM Nick Porter <nick@portercomputing.co.uk> wrote:
To get a user's nested group membership in the LDAP-Group attribute, you need to use the membership_filter configuration item, rather than membership_attribute, using the appropriate Active Directory extended match filter:
This would be great, except I'm not using Active Directory (as Michael Ströder guessed). ;) 100% linux stack here, since my employer is a nonprofit and nobody wants to spend money for a few MS licenses just for Active Directory (even though those licenses are comparatively cheap for a nonprofit). The LDAP backend is FreeIPA, which runs "389ds," which from my understanding is pretty similar (but maybe not identical) to OpenLDAP.
As for categorising your clients, you can add other values to the client definition e.g.
client switches { ipaddr = 10.0.1.0/24 secret = XXX sensitive = yes }
Then you can refer to %{client:sensitive} in your policy This sort of thing is what I was leaning to already, thank you for confirming this will work.
If I can figure out nested groups with FreeIPA, I might do that, but at this point it's probably quicker to just bang out a bunch of unlang if's and some case statements for the special tier and be done with it... It would be a hell of a lot more elegant (IMO) to have individual LDAP groups granting RO or RW access to each type of device, and then having a user-facing group that is a member of various "Device-level" groups as needed... but it's probably also overcomplicating and overthinking things a bit.