Static mapping values in LDAP Resolver

Hi Cornelius,
I have several different Active Directory groups that I am attempting to control access for.
Depending on which group a user is a part of, they should have different values returned to FreeRADIUS so I can execute post-auth commands. (For example: Joe and Bob are members of different Active Directory groups. When they log in via RADIUS they should each get back an attribute named Filter-ID. Joe’s Filter-ID value should be Upstairs and Bob’s Filter-ID value should be Downstairs.)

My current solution to this is as follows:
I have two different resolvers that filter by memberOf an Active Directory group. The first resolver maps the Active Directory memberOf attribute to an attribute called group. The second resolver does not have the attribute mapping for group. Inside FreeRADIUS, if the group attribute is populated I set the Filter-ID to Upstairs and if the group attribute is not populated I set the Filter-ID to Downstairs.

I realize this solution will not work for more than two groups and is somewhat hack-ish :wink:
My ideal would be to map the “proper group” membership to an attribute. That way Joe could have an attribute named group with a value of Upstairs and Bob could have an attribute named group with a value of Downstairs.
A separate idea that would also work would be changing the resolver to map the attribute “group” to a static text string like “Upstairs” or “Downstairs”, if there is a way to do this within privacyIDEA.
A third option which I do not prefer would be to change the value of an Active Directory attribute (setting the physicalDeliveryOfficeName attribute to Upstairs or Downstairs for example), but I would prefer not to do this, because it leaves open the possibility of changing the Active Directory group membership without changing that attribute, putting the user in an inconsistent state.

Is there a different solution that I am missing or do I just need to deal with changing an Active Directory attribute whenever I change group membership?
Thank you!

Honestly I think using groups in the first place is a bad idea.
You could put a user in both groups or in three groups.
What should happen then?

You should have put the attribute in ONE Ldap Attribute like pyhiscalDeliveryOfficeName.
privacyIDEA could handle this easily.

I’ll just do that, then.
I didn’t know if there was something in the config that I was missing :slight_smile: