OK, I’ve done some more testing with this and made some corrections, but hit another wall. First off, the value populating into Fortinet-Group-Name was only taking the first value from the AD attribute memberOf. This was because I didn’t configure my LDAP resolver to treat Fortinet-Group-Name as a multivalue attribute. After getting that out of the way, I set rlm_perl.ini to only the following:
[Attribute Fortinet-Group-Name]
radiusAttribute = Fortinet-Group-Name
userAttribute = Fortinet-Group-Name
Testing with that configuration, I was able to verify that all member groups were being passed in the RADIUS response.
Next up, I reintroduced the regular expression and verified it using regexr.com to make sure it acted as I expected it to. Unfortunately, it seems to have no effect and further testing shows all AD groups still being passed in the RADIUS response, this also includees using/not using the dir setting.
It seems the filter mangler isn’t mangling. Following the comments and examples from lines 20-37 here https://github.com/privacyidea/FreeRADIUS/blob/master/rlm_perl.ini, what should I be seeing with this config:
[Attribute Filter-Id]
dir = user
userAttribute = memberOf
radiusAttribute = Fortinet-Group-Name
regex = CN=(\w+),OU=example,DC=example,DC=org
A reponse with a RADIUS attribute of Filter-Id, a radiusAttribute Fortinet-Group-Name with the value in $1? What I’m getting is an array of values from memberOf.