Pattern Match Group Membership in the attribute list

Vlad Kratsberg vkratsberg at gmail.com
Thu Jun 30 19:12:49 UTC 2022 

Hello,
We are trying to configure LDAP group membership to work to avoid repeated
calls to Active Directory.

90% of work is done:
FR 3.0.25

### Recording a list of groups:

(6) ldap: Adding cacheable user object memberships
(6) ldap:   &control:LDAP-Cached-Membership += "network_engineering-inf-eng"
(6) ldap:   &control:LDAP-Cached-Membership += "ad_jira-developers"
(6) ldap:   &control:LDAP-Cached-Membership += "engineering"
(6) ldap:   &control:LDAP-Cached-Membership += "ad_jira-administrators"
(6) ldap:   &control:LDAP-Cached-Membership += "infrastructure-eng"
(6) ldap:   &control:LDAP-Cached-Membership += "ad_employees"
(6) ldap:   &control:LDAP-Cached-Membership += "no-phc-infra"
(6) ldap:   &control:LDAP-Cached-Membership += "networks-inf-eng"

### Caching it:
(6) cache: Creating new cache entry
(6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'network_engineering-inf-eng'
(6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'ad_jira-developers'
(6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'engineering'
(6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'ad_jira-administrators'
(6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'infrastructure-eng'
(6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'ad_employees'
(6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'no-phc-infra'
(6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
-> 'networks-inf-eng'
(6) cache: EXPAND Cache last updated at %t
(6) cache:    --> Cache last updated at Thu Jun 30 18:55:55 2022
(6) cache:   &reply:Reply-Message += Cache last updated at Thu Jun 30
18:55:55 2022
(6) cache: EXPAND %{randstr:ssssssssssssssssssssssssssssssss}
(6) cache:    --> Oae2Ugjv9rHP5rxlxNP64mal.P4ggAC4
(6) cache:   &reply:Class :=
0x4f61653255676a76397248503572786c784e5036346d616c2e50346767414334
(6) cache: Merging cache entry into request
(6) cache:   &request:LDAP-Cached-Membership +=
"network_engineering-inf-eng"
(6) cache:   &request:LDAP-Cached-Membership += "ad_jira-developers"
(6) cache:   &request:LDAP-Cached-Membership += "engineering"
(6) cache:   &request:LDAP-Cached-Membership += "ad_jira-administrators"
(6) cache:   &request:LDAP-Cached-Membership += "infrastructure-eng"
(6) cache:   &request:LDAP-Cached-Membership += "ad_employees"
(6) cache:   &request:LDAP-Cached-Membership += "no-phc-infra"
(6) cache:   &request:LDAP-Cached-Membership += "networks-inf-eng"
(6) cache:   &reply:Reply-Message += "Cache last updated at Thu Jun 30
18:55:55 2022"
(6) cache:   &reply:Class :=
0x4f61653255676a76397248503572786c784e5036346d616c2e50346767414334
(6) cache: Committed entry, TTL 10 seconds

#### Verifying that LDAP-Cached-Membership[*] contains all the groups:

(8)           EXPAND Attribute contains: %{LDAP-Cached-Membership[*]}
(8)              --> Attribute contains:
network_engineering-inf-eng,ad_jira-developers,engineering,ad_jira-administrators,infrastructure-eng,ad_employees,no-phc-infra,networks-inf-eng
(8)           Reply-Message += Attribute contains:
network_engineering-inf-eng,ad_jira-developers,engineering,ad_jira-administrators,infrastructure-eng,ad_employees,no-phc-infra,networks-inf-eng
(8)         } # update reply = noop

### In Post-Auth section, when evaluating policies, I can't match any of
the values stored in the LDAP-Cached-Membership[*].

(8) cache: Found entry for "xxxxxxx"
(8)       [cache] = ok
(8)       if (notfound) {
(8)       if (notfound)  -> FALSE
(8)       elsif (ok) {
(8)       elsif (ok)  -> TRUE
(8)       elsif (ok)  {
(8)         if (LDAP-Cached-Membership[*] =~ /.*networks-inf-eng.*/) {
(8)         if (LDAP-Cached-Membership[*] =~ /.*networks-inf-eng.*/)  ->
FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*corporate_it-inf-eng.*/)
{
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*corporate_it-inf-eng.*/)
 -> FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*security-eng.*/) {
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*security-eng.*/)  ->
FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~
/.*workplace_services-peo.*/) {
(8)         elsif (LDAP-Cached-Membership[*] =~
/.*workplace_services-peo.*/)  -> FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*infrastructure-eng./) {
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*infrastructure-eng./)
 -> FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*engineering.*/) {
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*engineering.*/)  -> FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*finance.*/) {
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*finance.*/)  -> FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*people.*/) {
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*people.*/)  -> FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*ad_contractors.*/) {
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*ad_contractors.*/)  ->
FALSE
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*ad_employees.*/) {
(8)         elsif (LDAP-Cached-Membership[*] =~ /.*ad_employees.*/)  ->
FALSE
(8)       } # elsif (ok)  = ok

Appreciate your help in pointing me in the right direction.

Thank you

More information about the Freeradius-Users mailing list