LDAP groups and how to filter

Alan DeKok aland at deployingradius.com
Tue Feb 11 13:26:17 CET 2020

On Feb 10, 2020, at 8:56 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
> I actually thought this was framed reasonably well, but okay more specifics.

  It was a solution in search of an answer.  I need to understand the problem.  That way you get the best solution.  The alternative is to give you an answer which did what you asked, but not what you wanted.

> It’s a fortigate – so I want to use Fortinet-Group-Name in post-auth.
> I would like to get all the groups that the user is a member of from LDAP, and I’m just going to use a very simple if statement in post-auth I know the syntax is wrong, just example) :
> if (LDAP-Group == "LDAP Group One") {
> 	update reply FG group1
> if (LDAP-Group == "LDAP Group Two") {
> 	update reply FG group 2
> And update the reply with the Fortinet-Group-Name.


> What I don't understand how to do, is to do the ldap bit for the groups so that it shows in the FreeRadius debug (using radiusd -X).  I want to see all the groups they may be a member of, so I can develop the logic further.

  FreeRADIUS isn't for LDAP debugging.  The LDAP server may return dozens, if not hundreds of groups.  FreeRADIUS won't print them all out.

  It *does* print out the LDAP queries it's using.  So you can take those queries, and use "ldapsearch" to run the search yourself, and then get the complete answer.

  Alan DeKok.

More information about the Freeradius-Users mailing list