Setting Class attribute by LDAP Groups
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Jul 4 09:50:07 CEST 2013
On 4 Jul 2013, at 08:22, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 07/04/2013 04:35 AM, Patrick Gawthorne wrote:
>
>> update request {
>>
>> Class = “%{Ldap-Group}”
>>
>> }
>
> You can't do that, because Ldap-Group is not a real attribute with a value;
You can do:
update reply {
Class = "%{control:Ldap-Group}"
}
In 3.0. Class will then contain the value of the first membership attribute in the user object, or the first group returned by the LDAP directory if you're using group objects.
If you have a primary group stored in a different attribute to other group membership attributes, and that's all you want to return, it may be more efficient to just use the %{ldap:ldap://} string expansion.
> it's a virtual attribute, which you compare against (think about it - you can be in >1 group)
>
> You would have to do something like this:
>
> if (Ldap-Group = grp1) {
> update reply {
> Class = "grp1"
> }
> }
>
> ...which can be slow-ish as it does 1 LDAP query per comparison.
>
> Also not Class is a reply attribute; adding it to request does nothing.
Or use 3.0 which allows you to retrieve all membership info in one operation (if you store group membership in the user object).
>
>> I did read somewhere if you included the Class variable within the reply
>> in the Access-Accept packet that it would be sent back and used within
>> the accounting messages as well but this hasn’t been the case for me.
>
> Well, as noted above you're setting class in "request" not "reply".
and this isn't guaranteed. It Depends on your NAS, and even then you should check for value truncation. Many vendors truncate Class at < 253 bytes.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Users
mailing list