On Tue, 2020-02-11 at 23:53 +0000, Daniel Oakes wrote:
Thanks that definitely got me a lot closer – but for some reason I’m not getting an expansion of the groups, so suspect that it’s probably something to do with the bind user:
Don't try and enumerate all the groups in FreeRADIUS. Configure the LDAP module correctly and then use unlang to check groups, similar to how you posted earlier. if (LDAP-Group == "LDAP Group One") { update reply { Fortinet-Group-Name := 'group1' } } elsif (LDAP-Group == "LDAP Group Two") { update reply { Fortinet-Group-Name := 'group2' } } elsif (....) { } There are two ways you can check LDAP group membership. Most efficient is normally to use the "memberOf" attribute, see "membership_attribute" in mods-available/ldap. This is a virtual attribute maintained by the LDAP server for each entry with a list of all the groups that entry is a member of. Not all LDAP servers provide it, or it might not be enabled. The alternative is to use a filter and look for all groups that contain "member={search DN}". This may be slower, but should be supported on all LDAP servers. See "membership_filter" in the ldap config. In both cases, you need server permission to be able to either read all relevant groups (membership_filter), or the memberOf attribute (membership_attribute). So, like Alan said, use `ldapsearch` to do the search to check that FreeRADIUS can get the result, then configure the group member options in LDAP as required and use the special LDAP-Group attribute above to do the checking. Don't try and enumerate group memberships in unlang, the module does the checking for you. Using &LDAP-Group[*] is likely the wrong approach. There's a lot more at https://wiki.freeradius.org/modules/Rlm_ldap -- Matthew