Matching multiple LDAP-groups during post-auth

Alan DeKok aland at
Wed May 19 23:38:48 CEST 2021

On May 19, 2021, at 2:40 PM, Chris Wopat <me at> wrote:
> Here's the debug of a failed auth where this user was a part of
> "network-administrators" but not of "optical-*":
> *

	 (1)     if (LDAP-Group == "network-administrators")  -> TRUE


	(1)     ... skipping elsif: Preceding "if" was taken
	(1)     ... skipping elsif: Preceding "if" was taken
	(1)     ... skipping else: Preceding "if" was taken
	(1)     if (LDAP-Group == "optical-administrators") {

  Hm... not good.

	TLSMC: MozNSS compatibility interception begins.
	tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
	tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
	TLSMC: MozNSS compatibility interception ends.

  libldap is using the horrible RedHat "NSS" library which pretends to be OpenSSL, and gets it wrong.  It might work, but it definitely won't work if you're doing EAP-TLS.

	 (1)     elsif (LDAP-Group == "optical-users")  -> FALSE
	(1)     else {
	(1)       update reply {
	((1)         Local-Reject-Check += "No matching optical"

  The rules check for:

	if member of network-admin


	if member of optical-admin

  The first test passes, the second doesn't.  That's why it's rejecting.

> Here's the post-auth section, which I'm also posting in-line in this email.

  The description you posted says that the user should match both a network group and an optical group.  That's what the rules do.

  So the question is, what do you want it to do?  Write it down in plain english.  And it should then be possible to translate it to "unlang".

  Alan DeKok.

More information about the Freeradius-Users mailing list