Matching multiple LDAP-groups during post-auth
Alan DeKok
aland at deployingradius.com
Wed Mar 31 14:02:03 CEST 2021
On Mar 31, 2021, at 7:42 AM, Chris Wopat <me at falz.net> wrote:
> using a complicated series of ANDs is something we hope to not have to
> fall back on due to complexity.
The unfortunate reality is that complexity has to go somewhere.
> Let's say there were 5 groups:
>
> * 3 groups for 'network' layer2/3
> * 2 groups for 'optical' layer1
>
> .. there's 31 combinations of 5 items, meaning 31 IF statements, which
> is unruly.
I'm not sure why you need those combinations. Why not just:
* do network layer
AND
* do optical layer?
Perhaps the rules really are "network 1 AND optical 1 gets A, network 1 AND optical 2 gets B", with A / B being completely different. In that case, you really do need massive amounts of ANDs.
The general solution is to split your rules into independent sets, and then combine the sets.
> Very helpful thank you. I haven't used "case" before- since it's in a
> switch, in the link above, you mention " have to use the switch / case
> structure since a user can be member of multiple groups". Does this
> mean that the switch/case statement will update the reply for *all*
> matching cases, not just the first hit?
It only uses the first one it finds.
Why not just do 3 IFs for network later, followed by 2 IFs for optical layer?
You can always add an extra "if" to catch the case of "no matching group was found".
if network 1
update reply for network 1
else if network 2
...
else
update reply with fake attribute saying "no match"
if optical 1
update reply for optical 1
else if ...
...
else
update reply with fake attribute saying "no match"
if reply has "no match"
reject
Alan DeKok.
More information about the Freeradius-Users
mailing list