redundant LDAP-Group

[Phil Mayers]

On 02/12/10 13:14, Alexander Clouter wrote:
> Phil Mayers<p.mayers at imperial.ac.uk>  wrote:
>>
>>> It would be really nice to fold those duplicate LDAP-Group lines into
>>> 'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
>>> ----
>>> /etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string "it-switch-admin" for attribute name "ldap_login-LDAP-Group"
>>> Errors reading /etc/freeradius/LOCAL/users-login
>>
>> AFAICT this doesn't really work because of the way the attributes
>> comparisons are actually handled.
>>
> Was wondering if someone out there knew of a neater way to do this?

Ah I see.

I was thinking you might be able to do something with the ldap xlat:

update control {
   My-Group-Staff = "%{ldap1:...}"
}
if (!control:My-Group-Staff) {
   update control {
     My-Group-Staff = "%{ldap2:...}"
   }
}

or:

update control {
   My-Group-Staff = "%{%{ldap1:..}:-%{ldap2:...}}"
}

...but sadly again, the ldap xlat doesn't return an error code, just 0 
so it's impossible to distinguish between no match and error, and you'll 
end up hitting the "ldap2" module a lot when you don't need to.

Hmm. Tricky.

How about a pair of ldap modules and creative use of the ldap.attrmap, 
so something like:

checkItem My-Group memberOf +=

...then:

policy {
   myldap {
     ldap1
     if (fail) {
       ldap2
     }
   }
}

...then:

authorize {
   myldap
   if (control:My-Group == Staff) {
     # something
   }
}

Alternatively, how about:

policy {
   myldap {
     update request {
       Module-Failure-Message !* 0x00
       My-Group = "%{ldap1:...}"
     }
     if (Module-Failure-Message) {
       update request {
         My-Group = "%{ldap2:...}"
       }
     }
   }
}