Using the contents of LDAP-Group

[Arran Cudbard-Bell]

> On Dec 14, 2020, at 5:44 AM, Michael Schwartzkopff <ms at sys4.de> wrote:
> 
> Signed PGP part
> On 14.12.20 12:39, Matthew Newton wrote:
>> 
>> 
>> On 14/12/2020 11:20, Michael Schwartzkopff wrote:
>>> I want to reply with the contents of the LDAP-Group Attribute.
>> 
>> LDAP-Group is magic, you can't treat it like a normal attribute.
>> 
>>> So I'd like to do something like
>>> 
>>> 
>>> if ( LDAP-Group) {
>>>    update reply {
>>>      Reply-Message += "%{LDAP-Group}"
>>>    }
>>> }
>>> 
>>> 
>>> This does not work. First of all, the if condition is never met. Also
>>> the Reply-Message is empty if
>> 
>> The LDAP-Group attribute doesn't exist. It is an internal "special"
>> attribute which does tests, it doesn't have a value. So you can use it
>> to check groups, but not to find out which groups the user is in. See
>> the group search config options for rlm_ldap.
>> 
>> A user could be in thousands of groups. Expanding a list of them all
>> does not generally make sense.
>> 
>> You can use an if/elsif construct to update the Reply-Message, testing
>> for each group, as you have already got working.
>> 
>> Or you may be able to come up with an ldap xlat which returns the
>> information you need in your own situation, e.g. you know that a user
>> will only ever be in one group (otherwise the xlat will only return
>> the first one that is returned).
>> 
> 
> Thanks. Found it out the hard way.
> 
> Thanks for the hint with the xlat. I will have a look into that.

Or enable LDAP group caching in the ldap module config and you'll get
the complete list written out to local attributes.

then just

update reply {
	Reply-Message := "%{LDAP-Group[*]}"
}

-Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201214/6f6c7744/attachment.sig>