Using the contents of LDAP-Group
Matthew Newton
mcn at freeradius.org
Mon Dec 14 12:39:58 CET 2020
On 14/12/2020 11:20, Michael Schwartzkopff wrote:
> I want to reply with the contents of the LDAP-Group Attribute.
LDAP-Group is magic, you can't treat it like a normal attribute.
> So I'd like to do something like
>
>
> if ( LDAP-Group) {
> update reply {
> Reply-Message += "%{LDAP-Group}"
> }
> }
>
>
> This does not work. First of all, the if condition is never met. Also
> the Reply-Message is empty if
The LDAP-Group attribute doesn't exist. It is an internal "special"
attribute which does tests, it doesn't have a value. So you can use it
to check groups, but not to find out which groups the user is in. See
the group search config options for rlm_ldap.
A user could be in thousands of groups. Expanding a list of them all
does not generally make sense.
You can use an if/elsif construct to update the Reply-Message, testing
for each group, as you have already got working.
Or you may be able to come up with an ldap xlat which returns the
information you need in your own situation, e.g. you know that a user
will only ever be in one group (otherwise the xlat will only return the
first one that is returned).
--
Matthew
More information about the Freeradius-Users
mailing list