LDAP groups and how to filter

Alan DeKok aland at deployingradius.com
Tue Feb 11 02:19:09 CET 2020

On Feb 10, 2020, at 5:23 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
> I've got FreeRadius working off a FreeIPA backend to try and sort some issues with a firewall that won't filter on LDAP groups correctly.

  Firewalls typically don't do LDAP group checking.  So what exactly are you trying to do?

> I've got my queries working, but now want to use post-auth to update a Group Name that the firewall will expect.  

  Does the firewall documentation say that it expects a group name?  If so, which attribute?

  You can't just send attributes in an Access-Accept and have the firewall "do the right thing".  RADIUS doesn't work like that.  Attributes have pre-defined meaning.  If the firewall doesn't already know about an attribute, then it doesn't know what to do when it sees the attribute.

> Just wondering how in debug mode I could print out to debug all the groups that the user is a memberOf so I can write that logic.  Sorry if this has been answered previously, I've not found an example, and I'm not much of an LDAP person.

  What *what* logic to do *what*?  Please be specific.

  Vague questions get vague answers.  Detailed questions get detailed answers.

  Alan DeKok.

More information about the Freeradius-Users mailing list