Adding ldap group information to accounting-request

[Alan DeKok]

On Nov 12, 2021, at 4:41 AM, Harry Halman <harry.halman at err.ee> wrote:
> I have a question - what is the most effective way to update Accounting-Request and populate it with Class (ldap group membership) information.

  Generally you don't.  You add the Class to the Access-Request, and it gets echoed back in the Accounting-Request packet.

> Now the actual issue.
> All my NAS devices are being asked to do accounting and the reason for that is firewall needs to have this to do on-the-fly L3 and UTM rules.
> I’m using replicate module in FR to forward all Accounting-Request packets to multiple firewalls over the organisation.
> 
> In order this to work Accounting-Request (start / interim / stop) must include the following:
> User-Name
> Framed-IP-Address
> Class (group info)
> 
> The first two are coming from NAS naturally but I can’t find a good way to populate Class in accounting section.
> If i'm not misunderstood, ldap module are not designed to fetch group information in accounting section other than “write something back to ldap”.

  You can do LDAP group checks at any point, even in accounting.  Nothing prevents you from doing that.

> With some help I managed call out external script that will do ldapsearch and return series of Class = value but is this the only and most effective way?

  i.e. you don't want to return *one* LDAP group, you want to return *many* LDAP groups.  That's a bit different.

  What you're asking here is to return a set of strings which contain the LDAP groups, and then to place those into multiple Class attributes.  This is somewhat unusual, and there isn't really a simple way to do this.

  For now, a script is OK.

  Alan DeKok.