LDAP groups and how to filter

Daniel Oakes daniel at 2600hz.com
Tue Feb 11 02:56:33 CET 2020

I actually thought this was framed reasonably well, but okay more specifics.

It’s a fortigate – so I want to use Fortinet-Group-Name in post-auth.

I would like to get all the groups that the user is a member of from LDAP, and I’m just going to use a very simple if statement in post-auth I know the syntax is wrong, just example) :

if (LDAP-Group == "LDAP Group One") {
	update reply FG group1
if (LDAP-Group == "LDAP Group Two") {
	update reply FG group 2

And update the reply with the Fortinet-Group-Name.

What I don't understand how to do, is to do the ldap bit for the groups so that it shows in the FreeRadius debug (using radiusd -X).  I want to see all the groups they may be a member of, so I can develop the logic further.

Excuse me if this is the wrong way to go about it - I'm happy to go away and learn ldap, but thought there might be some gems that others have done previously.


From: Freeradius-Users <freeradius-users-bounces+daniel=2600hz.com at lists.freeradius.org>
Date: Tuesday, 11 February 2020 at 2:19 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: LDAP groups and how to filter
On Feb 10, 2020, at 5:23 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
> I've got FreeRadius working off a FreeIPA backend to try and sort some issues with a firewall that won't filter on LDAP groups correctly.

  Firewalls typically don't do LDAP group checking.  So what exactly are you trying to do?

> I've got my queries working, but now want to use post-auth to update a Group Name that the firewall will expect.  

  Does the firewall documentation say that it expects a group name?  If so, which attribute?

  You can't just send attributes in an Access-Accept and have the firewall "do the right thing".  RADIUS doesn't work like that.  Attributes have pre-defined meaning.  If the firewall doesn't already know about an attribute, then it doesn't know what to do when it sees the attribute.

> Just wondering how in debug mode I could print out to debug all the groups that the user is a memberOf so I can write that logic.  Sorry if this has been answered previously, I've not found an example, and I'm not much of an LDAP person.

  What *what* logic to do *what*?  Please be specific.

  Vague questions get vague answers.  Detailed questions get detailed answers.

  Alan DeKok.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list