Granting varied levels of NAS permission based on LDAP group membership

Braden McGrath braden at
Fri Apr 22 20:14:47 UTC 2022

Replies inline...

On Fri, Apr 22, 2022 at 8:21 AM Nick Porter <nick at> wrote:
> To get a user's nested group membership in the LDAP-Group attribute, you
> need to use the membership_filter configuration item, rather than
> membership_attribute, using the appropriate Active Directory extended
> match filter:

This would be great, except I'm not using Active Directory (as Michael
Ströder guessed). ;)
100% linux stack here, since my employer is a nonprofit and nobody
wants to spend money for a few MS licenses just for Active Directory
(even though those licenses are comparatively cheap for a nonprofit).
The LDAP backend is FreeIPA, which runs "389ds," which from my
understanding is pretty similar (but maybe not identical) to OpenLDAP.

> As for categorising your clients, you can add other values to the client
> definition e.g.
> client switches {
>      ipaddr =
>      secret = XXX
>      sensitive = yes
> }
> Then you can refer to %{client:sensitive} in your policy
This sort of thing is what I was leaning to already, thank you for
confirming this will work.

If I can figure out nested groups with FreeIPA, I might do that, but
at this point it's probably quicker to just bang out a bunch of unlang
if's and some case statements for the special tier and be done with
It would be a hell of a lot more elegant (IMO) to have individual LDAP
groups granting RO or RW access to each type of device, and then
having a user-facing group that is a member of various "Device-level"
groups as needed... but it's probably also overcomplicating and
overthinking things a bit.

More information about the Freeradius-Users mailing list