From: Nick Porter Date: Fri, 19 May 2023 10:02:32 +0000 (+0100) Subject: Update docs about LDAP group membership checks X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f51e92d37ed5e5b08ddb34a2cceb09e8e7956d7b;p=thirdparty%2Ffreeradius-server.git Update docs about LDAP group membership checks --- diff --git a/doc/antora/modules/howto/pages/modules/ldap/authorization/groups.adoc b/doc/antora/modules/howto/pages/modules/ldap/authorization/groups.adoc index ef6cbf0a0a1..8b3e2e36c20 100644 --- a/doc/antora/modules/howto/pages/modules/ldap/authorization/groups.adoc +++ b/doc/antora/modules/howto/pages/modules/ldap/authorization/groups.adoc @@ -129,10 +129,11 @@ specified as a DN, and if the directory implements _variant 2_, then the group would be specified by name. ==== -Group checks are performed using the virtual attribute `LDAP-Group`. -Comparing this attribute to a group name or group DN, will, (if group caching -is not enabled) result in a query being sent to the LDAP Directory to determine -if the user is a member of the specified group. +Group checks can be performed using the xlat `%(ldap.memberof:)`. +Using this xlat, will, (if group caching is not enabled or the +ldap module has not already been called) result in one or more +queries being sent to the LDAP Directory to determine if the +user is a member of the specified group. When performing group checks LDAP module abstracts away the differences between group membership _variants [1-4]_ so long as it has been configured @@ -142,7 +143,7 @@ appropriately. [source,unlang] ---- -if (LDAP-Group == 'cn=foo,ou=groups,dc=example,dc=com') { +if (%(ldap.memberof:cn=foo,ou=groups,dc=example,dc=com) == 'yes') { update reply { &Reply-Message := "Welcome member of group 'foo'" } @@ -153,7 +154,7 @@ if (LDAP-Group == 'cn=foo,ou=groups,dc=example,dc=com') { [source,unlang] ---- -if (LDAP-Group == 'foo') { +if (%(ldap.memberof:foo) == 'yes') { update reply { &Reply-Message := "Welcome member of group 'foo'" } diff --git a/doc/antora/modules/howto/pages/modules/ldap/authorization/locating_the_user.adoc b/doc/antora/modules/howto/pages/modules/ldap/authorization/locating_the_user.adoc index 80971ccfdc0..aae74d7f94f 100644 --- a/doc/antora/modules/howto/pages/modules/ldap/authorization/locating_the_user.adoc +++ b/doc/antora/modules/howto/pages/modules/ldap/authorization/locating_the_user.adoc @@ -1,7 +1,7 @@ = Locating the user No matter how the LDAP module is called (via its `authorize`, `authenticate`, -`accounting` methods or an `LDAP-Group` comparison) the first operation the +`accounting` methods or the `%(ldap.memberof:)` xlat) the first operation the module performs it to populate `&control.LDAP-UserDN` with the location of the authenticating user's object in LDAP. diff --git a/doc/antora/modules/howto/pages/modules/ldap/base_configuration/index.adoc b/doc/antora/modules/howto/pages/modules/ldap/base_configuration/index.adoc index 47f7a7f30ce..a090140a42c 100644 --- a/doc/antora/modules/howto/pages/modules/ldap/base_configuration/index.adoc +++ b/doc/antora/modules/howto/pages/modules/ldap/base_configuration/index.adoc @@ -110,8 +110,7 @@ server default { } ---- -Group checks may be performed _after_ the LDAP's authorize -method has run, using the pair comparison attribute `LDAP-Group`. +Group checks may be performed using the xlat `%(ldap.memberof:)`. [source,unlang] ---- @@ -119,7 +118,7 @@ server default { ... recv Access-Request { ldap - if (&LDAP-Group != 'cn=authorized_users,ou=groups,dc=example,dc=com') { + if (%(ldap.memberof:cn=authorized_users,ou=groups,dc=example,dc=com) == 'yes') { reject } ...