Using the contents of LDAP-Group

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

Using the contents of LDAP-Group

Michael Schwartzkopff-3
Hi,


I want to reply with the contents of the LDAP-Group Attribute.

According to the doc I have

post-auth {

  if ( LDAP-Group == "admin" ) {
    update reply {
      Reply-Message += "sysmaster"
    }
  }

This works. But I want to reply the contents of the LDAP Group attribut.
So I'd like to do something like


if ( LDAP-Group) {

  update reply {

    Reply-Message += "%{LDAP-Group}"

  }

}


This does not work. First of all, the if condition is never met. Also
the Reply-Message is empty if

I check the (LDAP-Group == "admin"). Also tried to add the "control"
list to the attribut, but without success.

Any hints?


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (235 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Using the contents of LDAP-Group

Matthew Newton-3


On 14/12/2020 11:20, Michael Schwartzkopff wrote:
> I want to reply with the contents of the LDAP-Group Attribute.

LDAP-Group is magic, you can't treat it like a normal attribute.

> So I'd like to do something like
>
>
> if ( LDAP-Group) {
>    update reply {
>      Reply-Message += "%{LDAP-Group}"
>    }
> }
>
>
> This does not work. First of all, the if condition is never met. Also
> the Reply-Message is empty if

The LDAP-Group attribute doesn't exist. It is an internal "special"
attribute which does tests, it doesn't have a value. So you can use it
to check groups, but not to find out which groups the user is in. See
the group search config options for rlm_ldap.

A user could be in thousands of groups. Expanding a list of them all
does not generally make sense.

You can use an if/elsif construct to update the Reply-Message, testing
for each group, as you have already got working.

Or you may be able to come up with an ldap xlat which returns the
information you need in your own situation, e.g. you know that a user
will only ever be in one group (otherwise the xlat will only return the
first one that is returned).

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Using the contents of LDAP-Group

Michael Schwartzkopff-3
On 14.12.20 12:39, Matthew Newton wrote:

>
>
> On 14/12/2020 11:20, Michael Schwartzkopff wrote:
>> I want to reply with the contents of the LDAP-Group Attribute.
>
> LDAP-Group is magic, you can't treat it like a normal attribute.
>
>> So I'd like to do something like
>>
>>
>> if ( LDAP-Group) {
>>    update reply {
>>      Reply-Message += "%{LDAP-Group}"
>>    }
>> }
>>
>>
>> This does not work. First of all, the if condition is never met. Also
>> the Reply-Message is empty if
>
> The LDAP-Group attribute doesn't exist. It is an internal "special"
> attribute which does tests, it doesn't have a value. So you can use it
> to check groups, but not to find out which groups the user is in. See
> the group search config options for rlm_ldap.
>
> A user could be in thousands of groups. Expanding a list of them all
> does not generally make sense.
>
> You can use an if/elsif construct to update the Reply-Message, testing
> for each group, as you have already got working.
>
> Or you may be able to come up with an ldap xlat which returns the
> information you need in your own situation, e.g. you know that a user
> will only ever be in one group (otherwise the xlat will only return
> the first one that is returned).
>
Thanks. Found it out the hard way.

Thanks for the hint with the xlat. I will have a look into that.

Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (235 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Using the contents of LDAP-Group

arr2036


> On Dec 14, 2020, at 5:44 AM, Michael Schwartzkopff <[hidden email]> wrote:
>
> Signed PGP part
> On 14.12.20 12:39, Matthew Newton wrote:
>>
>>
>> On 14/12/2020 11:20, Michael Schwartzkopff wrote:
>>> I want to reply with the contents of the LDAP-Group Attribute.
>>
>> LDAP-Group is magic, you can't treat it like a normal attribute.
>>
>>> So I'd like to do something like
>>>
>>>
>>> if ( LDAP-Group) {
>>>    update reply {
>>>      Reply-Message += "%{LDAP-Group}"
>>>    }
>>> }
>>>
>>>
>>> This does not work. First of all, the if condition is never met. Also
>>> the Reply-Message is empty if
>>
>> The LDAP-Group attribute doesn't exist. It is an internal "special"
>> attribute which does tests, it doesn't have a value. So you can use it
>> to check groups, but not to find out which groups the user is in. See
>> the group search config options for rlm_ldap.
>>
>> A user could be in thousands of groups. Expanding a list of them all
>> does not generally make sense.
>>
>> You can use an if/elsif construct to update the Reply-Message, testing
>> for each group, as you have already got working.
>>
>> Or you may be able to come up with an ldap xlat which returns the
>> information you need in your own situation, e.g. you know that a user
>> will only ever be in one group (otherwise the xlat will only return
>> the first one that is returned).
>>
>
> Thanks. Found it out the hard way.
>
> Thanks for the hint with the xlat. I will have a look into that.
Or enable LDAP group caching in the ldap module config and you'll get
the complete list written out to local attributes.

then just

update reply {
        Reply-Message := "%{LDAP-Group[*]}"
}

-Arran


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (849 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: Using the contents of LDAP-Group

Michael Schwartzkopff-3
On 14.12.20 21:20, Arran Cudbard-Bell wrote:

>
>> On Dec 14, 2020, at 5:44 AM, Michael Schwartzkopff <[hidden email]> wrote:
>>
>> Signed PGP part
>> On 14.12.20 12:39, Matthew Newton wrote:
>>>
>>> On 14/12/2020 11:20, Michael Schwartzkopff wrote:
>>>> I want to reply with the contents of the LDAP-Group Attribute.
>>> LDAP-Group is magic, you can't treat it like a normal attribute.
>>>
>>>> So I'd like to do something like
>>>>
>>>>
>>>> if ( LDAP-Group) {
>>>>    update reply {
>>>>      Reply-Message += "%{LDAP-Group}"
>>>>    }
>>>> }
>>>>
>>>>
>>>> This does not work. First of all, the if condition is never met. Also
>>>> the Reply-Message is empty if
>>> The LDAP-Group attribute doesn't exist. It is an internal "special"
>>> attribute which does tests, it doesn't have a value. So you can use it
>>> to check groups, but not to find out which groups the user is in. See
>>> the group search config options for rlm_ldap.
>>>
>>> A user could be in thousands of groups. Expanding a list of them all
>>> does not generally make sense.
>>>
>>> You can use an if/elsif construct to update the Reply-Message, testing
>>> for each group, as you have already got working.
>>>
>>> Or you may be able to come up with an ldap xlat which returns the
>>> information you need in your own situation, e.g. you know that a user
>>> will only ever be in one group (otherwise the xlat will only return
>>> the first one that is returned).
>>>
>> Thanks. Found it out the hard way.
>>
>> Thanks for the hint with the xlat. I will have a look into that.
> Or enable LDAP group caching in the ldap module config and you'll get
> the complete list written out to local attributes.
>
> then just
>
> update reply {
> Reply-Message := "%{LDAP-Group[*]}"
> }
>
> -Arran
>
Thanks. That was what I missed. Now it works.


Mit freundlichen Grüßen,

--

[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (235 bytes) Download Attachment