Matching multiple LDAP-groups during post-auth
Chris Wopat
me at falz.net
Wed Mar 31 13:42:00 CEST 2021
On Tue, Mar 30, 2021 at 6:56 PM Braden McGrath via Freeradius-Users
<freeradius-users at lists.freeradius.org> wrote:
>
> Have you considered using nested ifs to query twice for the
> "network-admins AND $othergroup" scenario?
> If you're concerned about LDAP load / query time, you can enable
> caching in the ldap module; then the LDAP-Group list is saved and
> lookups happen against the cache instead of being re-queried each time
> you ask for it.
using a complicated series of ANDs is something we hope to not have to
fall back on due to complexity.
Let's say there were 5 groups:
* 3 groups for 'network' layer2/3
* 2 groups for 'optical' layer1
.. there's 31 combinations of 5 items, meaning 31 IF statements, which
is unruly.
Thanks for the caching tip, unsure if this is currently enabled but will do so!
On Wed, Mar 31, 2021 at 2:14 AM Michael Schwartzkopff <ms at sys4.de> wrote:
>
> If the user is member of multiple groups, the LDAP-Group is a
> Attribute-List (=Array).
>
> see the man pages of unlang.
>
> I used LDAP-Group array checks to select VPN connections. Please see
>
> https://blog.sys4.de/strongswan-vpn-based-on-groups-en.html
>
> for my solution. Hope my ideas can help you.
Very helpful thank you. I haven't used "case" before- since it's in a
switch, in the link above, you mention " have to use the switch / case
structure since a user can be member of multiple groups". Does this
mean that the switch/case statement will update the reply for *all*
matching cases, not just the first hit?
If so this is exactly what I'm looking for, but my brain assumed, due
to the "switch", that the first hit would win and it would stop
processing after that.
--Chris
More information about the Freeradius-Users
mailing list