LDAP Xlat with multiple results

Alan DeKok aland at deployingradius.com
Fri Jun 1 15:28:07 CEST 2012


Francois Gaudreault wrote:
> I have an LDAP xlat query to populate the Ldap-Group attribute

  No.

  You can't do that.

  LDAP-Group is a *comparison* operator.  It's meaning and behavior is
defined.  It does LDAP queries to check group membership against the
string you return.

  DO NOT use it for any other purpose.

> in order
> to do crazy stuff with the group membership (out of scope to explain you
> what kind of crazy stuff).  The issue I have is that the query may
> return multiple group membership lines.
> 
> update request {
>                 Ldap-Group +=
> "%{ldap:ldap:///dc=inverse,dc=local?memberOf?sub?sAMAccountName=%u}"
>         }
> 
> My question is, how can the Ldap-Group be listed for each result the
> query return?  ie.
> Ldap-Group = "cn=group1,dc=inverse,dc=local"
> Ldap-Group = "cn=group2,dc=inverse,dc=local"
> 
> Right now, the Ldap-Group will only contain the first group of the list.

  (1) use a different attribute.  Using LDAP-Group is wrong.

  (2) the %{ldap:...} query returns a one-line string.  You *cannot*
have it return more data.  You *cannot* automatically create multiple
attributes from one strings worth of data.

  This problem requires a real programming language.  Use Perl.

  Alan DeKok.



More information about the Freeradius-Users mailing list