Matching multiple LDAP-groups during post-auth
aland at deployingradius.com
Wed May 19 17:30:46 CEST 2021
On May 19, 2021, at 9:48 AM, Chris Wopat <me at falz.net> wrote:
> Digging up this thread as I finally am testing with FreeRADIUS 3. I've
> ported our config over for ldap, things working great in testing.
> However, I'd like to re-address my last note, which was with the
> pseudocode of if/else + if/else, we still get a reject.
That happens if none of the LDAP groups match, and your force a reject.
> Due to my brain comprehending output of `radiusd -X` in v3 *much*
> better, what appears to be happening is there's never an explicit
> 'Accept' with the method suggested at:
There's never an explicit accept, because you told it to reject.
If you don't tell it to reject the user, AND the user has a good password, the server sends Accept.
> In that case, if a member of 'network 1' and 'optical 1', it
> authenticates. If a member of one but not the other,
> Local-Reject-Check is populated and it will always reject.
Likely because that's the way you wrote the rules.
> Below is a
> snippet when one is a member of 'network*' group but not 'optical*'
> group (omitted the network* stuff)
Post the FULL debug output. This should be your default.
You're asking us to help debug things, but only giving a tiny bit of the output. That is very much unhelpful.
> I feel as though there's a much simpler answer to both of those, but I
> can't see the forest for the trees.
Post the FULL debug output.
More information about the Freeradius-Users