Fetch ACL attributes from LDAP groups
João Miguel Regateiro
jmregateiro at gmail.com
Mon Jul 31 12:52:23 UTC 2023
Hello,
I have a freeradius connected to openldap and i am testing applying ACL's
fetched from LDAP attributes.
The attributes are custom from ldap with the syntax as shown in the
configuration below.
With the following configurations i have managed to fetch the attributes
from the user.
mods-available/ldap
update {
control:Password-With-Header += 'userPassword'
...
reply:DACL +="acl-entry-001, acl-entry-002 ... acl-entry-255"
}
dictionary
ATTRIBUTE DACL 3000 string
sites-available/default
foreach &reply:DACL {
update reply {
cisco-avpair += "%{Foreach-Variable-0}"
}
Now I am attempting to do the same, but fetching the attributes from the
User groups(to avoid writing the same ACL's on different users).
I have done some research and tests, but have not managed to fetch any
attribute from the groups.
For example, I know that the group acl-admins has these attributes.
If the user logging in has memberships acl-admins and network-admins.
I want to fetch all the attributes "acl-entry-001, acl-entry-002 ...
acl-entry-255" from the acl-admins to be able to update the reply with the
foreach shown above.
Could you provide some guidance in this matter?
Best regards,
Miguel
More information about the Freeradius-Users
mailing list