Caching Multiple LDAP Groups

Jonathan Gryak jgryak at westport.k12.ct.us
Thu Apr 14 20:02:59 CEST 2016 

I am attempting to cache multiple LDAP groups for use post-authentication
This is an EAP-PEAP connection. Only the last group added to the cache is
available. How can I cache (and access) all of the groups?

 I am running FreeRADIUS Version 3.0.12 (git #34f7ba7), built on Apr  6
2016 at 08:07:17. Below is the relevant debug output:

Expanding LDAP groups:

> (7) ldap: Adding cacheable user object memberships
> (7) ldap:   &control:LDAP-Cached-Membership += "Group1"
> (7) ldap:   &control:LDAP-Cached-Membership += "Group2"
> (7) ldap:   &control:LDAP-Cached-Membership += "Group3"
> (7) ldap:   &control:LDAP-Cached-Membership += "Group4"
> (7) ldap:   &control:LDAP-Cached-Membership += "Group5"
> (7) ldap:   &control:LDAP-Cached-Membership += "Group6"
> (7) ldap:   &control:LDAP-Cached-Membership += "Group7"
> (7) ldap:   &control:LDAP-Cached-Membership += "Group8"


Cache Update:

> (7)         [ldap] = ok
> (7)       } # if (notfound)  = ok
> (7) cache: EXPAND %{User-Name}
> (7) cache:    --> jgryak
> (7) cache: No cache entry found for "jgryak"
> (7) cache: Creating new cache entry
> (7) cache: EXPAND Cache last updated at %t
> (7) cache:    --> Cache last updated at Thu Apr 14 13:51:49 2016
> (7) cache:   &reply:Reply-Message += Cache last updated at Thu Apr 14
> 13:51:49 2016
> (7) cache: EXPAND %{randstr:ssssssssssssssssssssssssssssssss}
> (7) cache:    --> DWiDAixrzMh3hzN93m5QB9rWClbz.cMl
> (7) cache:   &reply:Class :=
> 0x44576944416978727a4d6833687a4e39336d355142397257436c627a2e634d6c
> (7) cache:   control:LDAP-Cached-Membership +=
> &control:LDAP-Cached-Membership -> 'Group8'
> (7) cache: Merging cache entry into request
> (7) cache:   &reply:Reply-Message += "Cache last updated at Thu Apr 14
> 13:51:49 2016"
> (7) cache:   &reply:Class :=
> 0x44576944416978727a4d6833687a4e39336d355142397257436c627a2e634d6c
> (7) cache:   &control:LDAP-Cached-Membership += "Group8"
> (7) cache: Committed entry, TTL 3600 seconds


Post-Auth section:
(8)   # Executing section post-auth from file
/opt/fr3/etc/raddb/sites-enabled/inner-tunnel
(8)     post-auth {
(8)       policy set_role_or_vlan {
(8)         if (NAS-Port-Type == "Wireless-802.11") {
(8)         if (NAS-Port-Type == "Wireless-802.11")  -> TRUE
(8)         if (NAS-Port-Type == "Wireless-802.11")  {
(8)           foreach &control:LDAP-Cached-Membership
(8)             switch %{Foreach-Variable-0} {
(8)             EXPAND Foreach-Variable-0
(8)                --> Group8
(8)             EXPAND %{Foreach-Variable-0}
(8)                --> Group8
(8)             } # switch %{Foreach-Variable-0} = noop
(8)           } # foreach &control:LDAP-Cached-Membership = noop
(8)           if ("%{mschap:User-Name}" =~/\$$/) {


Thank you for your help.
-- 
Jonathan Gryak
Infrastructure Manager

Westport Public Schools
Technology Center
136 Riverside Avenue
Westport, CT 06880
(203) 341-1211

More information about the Freeradius-Users mailing list