Pattern Match Group Membership in the attribute list

Alan DeKok aland at
Thu Jun 30 22:49:57 UTC 2022

On Jun 30, 2022, at 3:12 PM, Vlad Kratsberg <vkratsberg at> wrote:
> We are trying to configure LDAP group membership to work to avoid repeated
> calls to Active Directory.

  When the server does LDAP group checking, it also keeps a copy of the LDAP-Group attribute while the request is active.

  If you need to do LDAP group checking across multiple EAP rounds, you can copy the LDAP-Group attributes to the session-state list:

	update session-state {
			&LDAP-Group += &control:LDAP-Group

  The server will then save / restore LDAP-Group for one EAP session, across multiple packets.

  There isn't much benefit to using the "cache" module to save LDAP-Group information.

> ### Recording a list of groups:
> (6) ldap: Adding cacheable user object memberships
> (6) ldap:   &control:LDAP-Cached-Membership += "network_engineering-inf-eng"

  That's saving it locally...

> ### Caching it:
> (6) cache: Creating new cache entry
> (6) cache:   &LDAP-Cached-Membership += &control:LDAP-Cached-Membership[*]
> -> 'network_engineering-inf-eng'

  That's not necessary.

> #### Verifying that LDAP-Cached-Membership[*] contains all the groups:
> (8)           EXPAND Attribute contains: %{LDAP-Cached-Membership[*]}
> (8)              --> Attribute contains:
> network_engineering-inf-eng,ad_jira-developers,engineering,ad_jira-administrators,infrastructure-eng,ad_employees,no-phc-infra,networks-inf-eng

  That is a string version of all of the LDAP-Cached-Membership attributes, with commas between the values.  So that's fine.

> ### In Post-Auth section, when evaluating policies, I can't match any of
> the values stored in the LDAP-Cached-Membership[*].
> (8) cache: Found entry for "xxxxxxx"
> (8)       [cache] = ok
> (8)       if (notfound) {
> (8)       if (notfound)  -> FALSE
> (8)       elsif (ok) {
> (8)       elsif (ok)  -> TRUE
> (8)       elsif (ok)  {
> (8)         if (LDAP-Cached-Membership[*] =~ /.*networks-inf-eng.*/) {

  Uh... why LDAP-Cached-Membership[*]?  Why not just LDAP-Cached-Membership?

  And why a regular expression match?  If you know the group names, you can just match that.


	if (LDAP-Cached-Membership == network_engineering-inf-eng) {

  and it should work

> Appreciate your help in pointing me in the right direction.

  I don't know why you're using LDAP-Cached-Membership[*].  That really doesn't do what you want.  See "man unlang".  Just check for one value, and the server will automatically return true if there's many attributes, with one matching the value.

  The &Attribute[*] reference is really only useful when you're printing all of the attributes to a string.  For everything else, it really doesn't do what you want.

  Alan DeKok.

More information about the Freeradius-Users mailing list