[RADIATOR] Radiator / LDAP / matching on multi-valued field

Dave Kitabjian dave at corp.netcarrier.com
Fri Feb 11 22:39:58 UTC 2022 

Hi folks,

Question:

I want to allow only authorized people to access specific NASes. And the authorization needs to come from Active Directory (LDAP2).

Obviously, I have access to NAS-IP-Address coming in from the Access-Request. The problem is that our AD organizes authorized staff into groups which are presented using the "memberOf" attribute. When I fetch that from AD, someone like me who belongs to multiple groups gets an ugly mess that looks like this:

07715580 Fri Feb 11 17:03:48 2022 710905: DEBUG: LDAP got memberOf: CN=Development Team,CN=Users,DC=MYDOMAIN,DC=mycompany,
DC=com CN=OUC,CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com CN=My Engineering,CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com CN=My Alarms,CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com CN=Admin Access,CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com CN=All Staff,CN=
Users,DC=MYDOMAIN,DC=mycompany,DC=com CN=Management List,CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com CN=Graphic Developme
nt,CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com

The only part that tells me I have access to a particular NAS is the "Admin Access" entry. I could just do a clumsy regex to look for a match. But the documentation:

https://www.open.com.au/radiator/ref/AuthAttrDef_AuthByLDAP2.html#Host_AuthByLDAP2-24

says something about support for multi-valued LDAP attributes. But I don't understand the data structure; I can't seem to parse on commas or spaces. Does this type of data qualify for the "multi-valued" parsing that is advertised in the documentation? In other words, if I did a check for "DC=com CN=Admin Access", would it find a match?

So, the second part of my problem is that obviously "DC=com CN=Admin Access" won't match the NAS-IP-Address. What I really need is logic like:

IF AD.memberOf(user) matches "DC=com CN=Admin Access" AND NAS-IP-Address = A.B.C.D
THEN PASS
ELSE IF AD.memberOf(user) matches "DC=com CN=Regular Access" AND NAS-IP-Address = W.X.Y.Z
THEN PASS
ELSE FAIL

Guidance on how to solve this problem is greatly appreciated!

Dave

CONFIDENTIALITY NOTICE***The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20220211/32aa4bb6/attachment-0001.html>

More information about the radiator mailing list