Using the contents of LDAP-Group

Michael Schwartzkopff ms at sys4.de
Tue Dec 15 09:25:09 CET 2020


On 14.12.20 21:20, Arran Cudbard-Bell wrote:
>
>> On Dec 14, 2020, at 5:44 AM, Michael Schwartzkopff <ms at sys4.de> wrote:
>>
>> Signed PGP part
>> On 14.12.20 12:39, Matthew Newton wrote:
>>>
>>> On 14/12/2020 11:20, Michael Schwartzkopff wrote:
>>>> I want to reply with the contents of the LDAP-Group Attribute.
>>> LDAP-Group is magic, you can't treat it like a normal attribute.
>>>
>>>> So I'd like to do something like
>>>>
>>>>
>>>> if ( LDAP-Group) {
>>>>    update reply {
>>>>      Reply-Message += "%{LDAP-Group}"
>>>>    }
>>>> }
>>>>
>>>>
>>>> This does not work. First of all, the if condition is never met. Also
>>>> the Reply-Message is empty if
>>> The LDAP-Group attribute doesn't exist. It is an internal "special"
>>> attribute which does tests, it doesn't have a value. So you can use it
>>> to check groups, but not to find out which groups the user is in. See
>>> the group search config options for rlm_ldap.
>>>
>>> A user could be in thousands of groups. Expanding a list of them all
>>> does not generally make sense.
>>>
>>> You can use an if/elsif construct to update the Reply-Message, testing
>>> for each group, as you have already got working.
>>>
>>> Or you may be able to come up with an ldap xlat which returns the
>>> information you need in your own situation, e.g. you know that a user
>>> will only ever be in one group (otherwise the xlat will only return
>>> the first one that is returned).
>>>
>> Thanks. Found it out the hard way.
>>
>> Thanks for the hint with the xlat. I will have a look into that.
> Or enable LDAP group caching in the ldap module config and you'll get
> the complete list written out to local attributes.
>
> then just
>
> update reply {
> 	Reply-Message := "%{LDAP-Group[*]}"
> }
>
> -Arran
>

Thanks. That was what I missed. Now it works.


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20201215/8f114975/attachment.sig>


More information about the Freeradius-Users mailing list