rlm_ldap: How to filter based on specific attributes?

[Mathieu Simon (Lists)]

Hi

I have an (OpenLDAP-based) directory that sets a specific attribute
(univentionNetworkAccess) on either the user or the group based on which
network Access is being granted. (1 means you are permitted, 0 or access
of that attribtue indicates no access)

I think this is where using access_attribute wouldn't work, as it is
only defined in the users section but not groups - right?

Additionnaly access should also only be granted if certain other
Attributes have specific values (such as sambaAcctFlags, meaning if a
user is locked or disabled).

I'm looking into where this could be configured in the most meaningful
way without adding to many chunks of custom logic to the default
configuration... as in my experience staying close to the default config
usually helps avoiding stupid errors...

So far I've thought about mapping these attributes from LDAP to FR and
then using unlang statements in post-auth for example to check for each
condition.

Q: How could I map attributes from LDAP groups to FreeRADIUS?
(I've only ever done this with user attributes)

(Somewhat similar as to what a guy asked in 2016:
http://lists.freeradius.org/pipermail/freeradius-users/2016-August/084450.html)

If all attributes are mappable to FreeRADIUS using unlang, making
conditions in the post-auth section would look possible ... right?

Or would it be better to modify the LDAP "filter =" statemens of the
ldap module in the user{ } and group{ } sections with the required
attributes ? (likely ending up in somewhat clunky LDAP queries)

Regards
Mathieu