Matching multiple LDAP-groups during post-auth
Chris Wopat
me at falz.net
Wed May 19 15:48:25 CEST 2021
Digging up this thread as I finally am testing with FreeRADIUS 3. I've
ported our config over for ldap, things working great in testing.
However, I'd like to re-address my last note, which was with the
pseudocode of if/else + if/else, we still get a reject.
See below:
On Tue, Apr 6, 2021 at 12:43 PM Alan DeKok <aland at deployingradius.com> wrote:
>
> On Apr 6, 2021, at 10:35 AM, Chris Wopat <me at falz.net> wrote:
> >
> > Thanks for the sample config. Just chiming in to say that this
> > *mostly* worked, the last item, which appears to be checking the
> > existence of "Local-Reject-Check" within the reply, didn't work and
> > I'd always get a reject.
Due to my brain comprehending output of `radiusd -X` in v3 *much*
better, what appears to be happening is there's never an explicit
'Accept' with the method suggested at:
http://lists.freeradius.org/pipermail/freeradius-users/2021-March/099690.html
In that case, if a member of 'network 1' and 'optical 1', it
authenticates. If a member of one but not the other,
Local-Reject-Check is populated and it will always reject. Below is a
snippet when one is a member of 'network*' group but not 'optical*'
group (omitted the network* stuff)
(9) User is not a member of "optical-users"
(9) elsif (LDAP-Group == "optical-users") -> FALSE
(9) else {
(9) update reply {
(9) Local-Reject-Check += "No matching optical"
(9) } # update reply = noop
(9) } # else = noop
(9) if (&reply:Local-Reject-Check) {
(9) if (&reply:Local-Reject-Check) -> TRUE
(9) if (&reply:Local-Reject-Check) {
(9) [reject] = reject
(9) } # if (&reply:Local-Reject-Check) = reject
(9) } # post-auth = reject
(9) Using Post-Auth-Type Reject
I'm wondering if i should look at doing one of these:
1) Explicitly state a "Post-Auth-Type Accept" and somehow change the if logic
2) Somehow mix in vendor attribute to match device type (juniper,
cisco, whatever) and *only* look for the network* group when it's a
network vendor?
I feel as though there's a much simpler answer to both of those, but I
can't see the forest for the trees.
Cheers,
Chris
More information about the Freeradius-Users
mailing list