rlm_ldap: How to filter based on specific attributes?

Alan DeKok aland at deployingradius.com
Mon Jul 22 13:12:55 CEST 2019


On Jul 22, 2019, at 7:05 AM, Mathieu Simon (Lists) <matsimon.lists at simweb.ch> wrote:
> I have an (OpenLDAP-based) directory that sets a specific attribute
> (univentionNetworkAccess) on either the user or the group based on which
> network Access is being granted. (1 means you are permitted, 0 or access
> of that attribtue indicates no access)
> 
> I think this is where using access_attribute wouldn't work, as it is
> only defined in the users section but not groups - right?

  Yes.

> Additionnaly access should also only be granted if certain other
> Attributes have specific values (such as sambaAcctFlags, meaning if a
> user is locked or disabled).

  Which likely means custom policies.

> I'm looking into where this could be configured in the most meaningful
> way without adding to many chunks of custom logic to the default
> configuration... as in my experience staying close to the default config
> usually helps avoiding stupid errors...

  Custom policies can be complex. :(  Debugging complex systems is hard.

> So far I've thought about mapping these attributes from LDAP to FR and
> then using unlang statements in post-auth for example to check for each
> condition.
> 
> Q: How could I map attributes from LDAP groups to FreeRADIUS?
> (I've only ever done this with user attributes)

  In v3, it's a little complex.  In (coming some time soon) v4, it's a "map" command. :(

> (Somewhat similar as to what a guy asked in 2016:
> http://lists.freeradius.org/pipermail/freeradius-users/2016-August/084450.html)
> 
> If all attributes are mappable to FreeRADIUS using unlang, making
> conditions in the post-auth section would look possible ... right?

  Yes.

> Or would it be better to modify the LDAP "filter =" statemens of the
> ldap module in the user{ } and group{ } sections with the required
> attributes ? (likely ending up in somewhat clunky LDAP queries)

  That will be the simplest in v3.  The LDAP server will parse and apply the filters quickly.  It will be more work to copy the data to FreeRADIUS, and then implement the policies in "unlang".

  Alan DeKok.




More information about the Freeradius-Users mailing list