configuration for retrieving LDAP security group membership

Adam Thompson athompson at uplogix.com
Mon Jan 16 20:24:57 CET 2017


All,

I managed to get FreeeRADIUS 2.2.6 to return LDAP group membership, but now I need to clean up the output - anyone have suggestions on how to do that?

I added this to my config: 

post-auth {
        update reply {
                Uplogix-User-Groups := " %{reply:Uplogix-JUNK[0]} ,  %{reply:Uplogix-JUNK[1]} , %{reply:Uplogix-JUNK[2]} , %{reply:Uplogix-JUNK[3]} , %{reply:Uplogix-JUNK[4]} , %{reply:Uplogix-JUNK[5]}"
                Uplogix-JUNK !* ANY
        }
}



Now the server returns output like: 

++update reply {
        expand:  %{reply:Uplogix-JUNK[0]} ,  %{reply:Uplogix-JUNK[1]} , %{reply:Uplogix-JUNK[2]} , %{reply:Uplogix-JUNK[3]} , %{reply:Uplogix-JUNK[4]} , %{reply:Uplogix-JUNK[5]} ->  CN=evaluation,CN=Users,DC=doc,DC=uplogix,DC=com ,  CN=Administrators,CN=Builtin,DC=doc,DC=uplogix,DC=com ,  ,  ,  ,
++} # update reply = noop
+} # group post-auth = noop
Sending Access-Accept of id 19 to 203.0.113.8 port 63394
        Uplogix-User-Groups = " CN=evaluation,CN=Users,DC=doc,DC=uplogix,DC=com ,  CN=Administrators,CN=Builtin,DC=doc,DC=uplogix,DC=com ,  ,  ,  , "
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.


Does anyone have suggestions for how to clean up the output? 

At first I thought I could use the !~ and =~, but it looks like those can only be used to evaluate, not to change the contents of the reply. 



TIA 
-Adam




-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+athompson=uplogix.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Wednesday, December 14, 2016 10:38 AM
To: FreeRadius users mailing list
Subject: Re: configuration for retrieving LDAP security group membership

On Dec 14, 2016, at 11:02 AM, Adam Thompson <athompson at uplogix.com> wrote:
> 
> I'm stuck with v 2.2.6, unfortunately.

  There is no technical reason which prevents you from upgrading.

> For the LDAP query, should I add an "update" section to get the group membership? Where should that go, in the LDAP section of the configuration?  

  No.  You cannot retrieve LDAP groups like that in v2.  It only works in v3.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list