Using the contents of LDAP-Group

Michael Schwartzkopff ms at sys4.de
Mon Dec 14 12:44:31 CET 2020


On 14.12.20 12:39, Matthew Newton wrote:
>
>
> On 14/12/2020 11:20, Michael Schwartzkopff wrote:
>> I want to reply with the contents of the LDAP-Group Attribute.
>
> LDAP-Group is magic, you can't treat it like a normal attribute.
>
>> So I'd like to do something like
>>
>>
>> if ( LDAP-Group) {
>>    update reply {
>>      Reply-Message += "%{LDAP-Group}"
>>    }
>> }
>>
>>
>> This does not work. First of all, the if condition is never met. Also
>> the Reply-Message is empty if
>
> The LDAP-Group attribute doesn't exist. It is an internal "special"
> attribute which does tests, it doesn't have a value. So you can use it
> to check groups, but not to find out which groups the user is in. See
> the group search config options for rlm_ldap.
>
> A user could be in thousands of groups. Expanding a list of them all
> does not generally make sense.
>
> You can use an if/elsif construct to update the Reply-Message, testing
> for each group, as you have already got working.
>
> Or you may be able to come up with an ldap xlat which returns the
> information you need in your own situation, e.g. you know that a user
> will only ever be in one group (otherwise the xlat will only return
> the first one that is returned).
>

Thanks. Found it out the hard way.

Thanks for the hint with the xlat. I will have a look into that.

Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201214/dfb28899/attachment.sig>


More information about the Freeradius-Users mailing list