Microsoft AD group check
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Jan 13 19:22:56 CET 2020
> (7) ldap: Adding cacheable user object memberships
> (7) ldap: &control:LDAP-Cached-Membership += "VLAN130_SIEO1"
> ...
> (8) ldap: &control:LDAP-Cached-Membership += "VLAN130_SIEO1"
> (8) ldap: EXPAND (|(&(objectClass=group)(member=%{control:Ldap-UserDn})))
> ...
> (9) elsif (LDAP-Cached-Membership[*] =~ /.*VLAN130_.*/) {
> (9) elsif (LDAP-Cached-Membership[*] =~ /.*VLAN130_.*/) -> FALSE
>
> The first number (7), (8), and (9) are the packet numbers. So you're saving the LDAP-Cached-Membership attribute in packet 8, and then looking for it in packet 9. That won't work.
>
> Further, read the debug output. The LDAP-Cached-Membership attribute is being added to the *control* list. And the "if" check you wrote isn't looking in the "control" list.
>
> The server doesn't cache all attributes across all packets. You need to save the packets in the session-state list.
>
> i.e. In the post-auth section, do:
>
> post-auth {
> ...
> Post-Auth-Type Challenge {
> update session-state {
> &LDAP-Cached-Membership = &control:LDAP-Cached-Membership
Should be:
&LDAP-Cache-Membership += &control:LDAP-Cached-Membership[*]
but otherwise, yes.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list