[EXT] Fetching memberOf attribute

Matvey Teplov matvey.teplov at nomios.nl
Mon Jun 2 12:34:43 UTC 2025 

Hi Brian,

Picking this outstanding action. I tried "reject" before, and it is a problem. The startup comes with:

/etc/freeradius/3.0/sites-enabled/default[85]: Failed to find "reject" as a module or policy.
/etc/freeradius/3.0/sites-enabled/default[85]: Please verify that the configuration exists in /etc/freeradius/3.0/mods-enabled/reject.
/etc/freeradius/3.0/sites-enabled/default[85]: Failed to parse "reject" entry.

Also, the simple '==' doesn't work either, and that's why the loop is there. It is coming back with during authentication:
(0)     if (&control:ldap-LDAP-Group[*] == "CN=Radius_ReadOnly_Group,DC=Groups,DC=abc,DC=abc") {
(0)     ERROR: Failed retrieving values required to evaluate condition

Configured condition is:
    if (&control:ldap-LDAP-Group[*] == "CN=Radius_ReadOnly_Group,DC=Groups,DC=abc,DC=abc") {
        update reply {
            Fortinet-Group-Name := "ro_group"
            Juniper-Local-User-Name := "ro_role"
            Reply-Message := "Authorized as RO user"
            }
        update control {
            Auth-Type := Accept
            }
        }


Best regards Matvey Teplov

________________________________
From: Brian Julin <BJulin at clarku.edu>
Sent: 22 May 2025 19:03
To: Matvey Teplov <matvey.teplov at nomios.nl>; freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Re: [EXT] Fetching memberOf attribute


Matvey Teplov <matvey.teplov at nomios.nl> wrote:
> The LDAP queries are happening in the authorize section after the proxy call (sites-available/default) and will yield a list of groups in the control:ldap-LDAP-Group attribute:
> So, when you will be getting it in the post-auth section, you can go over it with the foreach loop:
>
>        foreach &control:ldap-LDAP-Group {
>                if ("%{Foreach-Variable-0}" == "CN=Radius_ReadOnly_Group,DC=Groups,DC=abc,DC=abc") {

You should not have to do a for loop, I do not think.  With a splatted array attribute, "==" is magic and just checks if any one element is equal, just splat the attribute with an index of [*]

if (&control:ldap-LDAP-Group[*] == "whatever") {
}

> The problem I still have is how to send the Reject back if the loop conditions are not met, because before I go into it, I set Reject explicitly:

Off the top of my head, try using the "reject" keyword instead of manipulating Auth-Type, after you have determined no group has been found.
something like:

if (reply:Reply-Message == "Unauthorized - No Group found") {
  reject
}

...or if your list is short, just in the last else in a bunch of nested if/else clauses.

More information about the Freeradius-Users mailing list