Matching multiple LDAP-groups during post-auth

Alan DeKok aland at
Thu May 20 14:55:16 CEST 2021

On May 20, 2021, at 8:45 AM, Chris Wopat <me at> wrote:
> Yes exactly. We're looking to handle situations where:
> 1) A user may be a member of a single network-* and single optical-* group
> 2) A user may be a member of a single network-* group (and no optical-*)
> 3) A user may be a member of a single optical-* group (and no network-*)

  So don't reject if checks (2) or (3) fail.  Instead, reject if *all* checks fail.

> It feels like there should be an easy way to nest or deal with this in
> unlang with some basic if/else stuff but for whatever reason my brain
> cannot come up with it. We would strongly prefer to not have to create
> more new LDAP groups for this (ie ones that are called
> network-and-optical-admins) or whatever, but i guess technically that
> would be one workaround, but more confusing for those who admin LDAP
> group membership.

  You don't need more LDAP groups.  You can instead update each matching entry with a special "OK" attribute.  And you don't need commas after each entry in an "update" section:

  if (LDAP-Group == "network-administrators") {
    update reply {
      cisco-avpair = "shell:priv-lvl=15"
      Service-Type = "6"
      Juniper-Local-User-Name = "superuser"
      PaloAlto-Admin-Role = "superuser"

       My-Local-Match = 1
  elsif (LDAP-Group == "network-users") {
    update reply {
      cisco-avpair = "shell:priv-lvl=1"
      Juniper-Local-User-Name = "op"
      PaloAlto-Admin-Role = "devicereader"

       My-Local-Match = 1

  And do the same for the optical groups.

  Then instead of looking for a reject, look for a match:

	if (!&reply:My-Local-Match) {
		reject # didn't match _any_ groups

  Alan DeKok.

More information about the Freeradius-Users mailing list