[EXT] Fetching memberOf attribute
Brian Julin
BJulin at clarku.edu
Thu May 22 17:03:55 UTC 2025
Matvey Teplov <matvey.teplov at nomios.nl> wrote:
> The LDAP queries are happening in the authorize section after the proxy call (sites-available/default) and will yield a list of groups in the control:ldap-LDAP-Group attribute:
> So, when you will be getting it in the post-auth section, you can go over it with the foreach loop:
>
> foreach &control:ldap-LDAP-Group {
> if ("%{Foreach-Variable-0}" == "CN=Radius_ReadOnly_Group,DC=Groups,DC=abc,DC=abc") {
You should not have to do a for loop, I do not think. With a splatted array attribute, "==" is magic and just checks if any one element is equal, just splat the attribute with an index of [*]
if (&control:ldap-LDAP-Group[*] == "whatever") {
}
> The problem I still have is how to send the Reject back if the loop conditions are not met, because before I go into it, I set Reject explicitly:
Off the top of my head, try using the "reject" keyword instead of manipulating Auth-Type, after you have determined no group has been found.
something like:
if (reply:Reply-Message == "Unauthorized - No Group found") {
reject
}
...or if your list is short, just in the last else in a bunch of nested if/else clauses.
More information about the Freeradius-Users
mailing list