would be specified by name.
====
-Group checks are performed using the virtual attribute `LDAP-Group`.
-Comparing this attribute to a group name or group DN, will, (if group caching
-is not enabled) result in a query being sent to the LDAP Directory to determine
-if the user is a member of the specified group.
+Group checks can be performed using the xlat `%(ldap.memberof:)`.
+Using this xlat, will, (if group caching is not enabled or the
+ldap module has not already been called) result in one or more
+queries being sent to the LDAP Directory to determine if the
+user is a member of the specified group.
When performing group checks LDAP module abstracts away the differences between
group membership _variants [1-4]_ so long as it has been configured
[source,unlang]
----
-if (LDAP-Group == 'cn=foo,ou=groups,dc=example,dc=com') {
+if (%(ldap.memberof:cn=foo,ou=groups,dc=example,dc=com) == 'yes') {
update reply {
&Reply-Message := "Welcome member of group 'foo'"
}
[source,unlang]
----
-if (LDAP-Group == 'foo') {
+if (%(ldap.memberof:foo) == 'yes') {
update reply {
&Reply-Message := "Welcome member of group 'foo'"
}
= Locating the user
No matter how the LDAP module is called (via its `authorize`, `authenticate`,
-`accounting` methods or an `LDAP-Group` comparison) the first operation the
+`accounting` methods or the `%(ldap.memberof:)` xlat) the first operation the
module performs it to populate `&control.LDAP-UserDN` with the location of
the authenticating user's object in LDAP.
}
----
-Group checks may be performed _after_ the LDAP's authorize
-method has run, using the pair comparison attribute `LDAP-Group`.
+Group checks may be performed using the xlat `%(ldap.memberof:)`.
[source,unlang]
----
...
recv Access-Request {
ldap
- if (&LDAP-Group != 'cn=authorized_users,ou=groups,dc=example,dc=com') {
+ if (%(ldap.memberof:cn=authorized_users,ou=groups,dc=example,dc=com) == 'yes') {
reject
}
...
projects / thirdparty / freeradius-server.git / commitdiff
