Config hints for providing list of groups in post-auth?
Mike Ely
me at mikeely.org
Tue Jun 7 20:45:24 CEST 2016
On 06/07/2016 11:29 AM, Mike Ely wrote:
> On 06/07/2016 08:55 AM, Alan DeKok wrote:
>> On Jun 7, 2016, at 11:52 AM, Mike Ely <me at mikeely.org> wrote:
>>> Intriguing. Are you aware of a way in "unlang" to pull all of a
>>> user's group memberships and present those in the reply to the NAS?
>>> It would certainly be easier to maintain compared to calling an
>>> external script.
>> In v3.0.x, you might as well use a shell script.
> We have to stick with 3.0.x for now. I'm _this_ close here. I wrote a
> module that follows the pattern in the ntlm_auth module, and call it
> in post-auth. I can see it run successfully:
>
> Program returned code (0) and output 'domain users,techs'
> (0) getadgroups : Program executed successfully
> (0) [getadgroups] = ok
>
> The part I am conceptually lost on is how to get that program output -
> in the case of my test user 'domain users,techs' - into the main
> post-auth process so I can use "update reply" with whatever custom
> dictionary we settle on here.
>
> How do I set a variable to the ouptut of this module? I've tried
> somevariable = "%{exec:/path/to/script etc etc}" in the module and
> then radius says [getadgroups] = noop
>
Nevermind, figured it out. Here's where backticks are useful, put the
following into my post-auth:
update reply {
Reply-Message := `/usr/local/bin/groupparser %{User-Name}`
}
Note: am using Reply-Message as a placeholder for now. And it works!
More information about the Freeradius-Users
mailing list