<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
color:black;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>I’m just guessing, and could be WAY
off, but may be an inner-tunnel vs. outer-tunnel thing. I think there’s
an option to copy inner-tunnel attribs to outer-tunnel attribs. Maybe start
searching in those areas and wait for someone that actually known something about
FR to reply. I used to know a LITTLE bit, but I hardly touch it anymore and
find myself forgetting all but the very basics.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>G<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'> freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Adam Track<br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, November 01, 2011
1:36 PM<br>
<b><span style='font-weight:bold'>To:</span></b> '
freeradius-users@lists.freeradius.org' <br>
<b><span style='font-weight:bold'>Subject:</span></b> Referencing LDAP
attributes in post-auth</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<div id=yiv1167348323>
<div>
<div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>Hello,<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>I'm sorry for
asking such a simple(?) thing, but my lack of understanding is not due to a
lack of reading, searching, trial-and-error... I just can't seem to figure out
how to reference an ldap attribute in post-auth. Using freeradius 2.1.8,
PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for authorization works
great. As an added functionality, I need to send to the NAS a few extra
attributes based on an an ldap attribute "personType". I've
added mapping for this attribute, and here's a snippet of the debug output from
the authorize section of the virtual server:<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>...<o:p></o:p></span></font></p>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>[ldap]
looking for check items in directory...<br>
[ldap] looking for reply items in directory...<br>
[ldap] personType -> Person-Type = "employee"<br>
[ldap] personType -> Person-Type = "fulltime"<br>
[ldap] personType -> Person-Type = "it"<br>
WARNING: No "known good" password was found in LDAP. Are you
sure that the user is configured correctly?<br>
[ldap] user tadam authorized to use remote access<br>
[ldap] ldap_release_conn: Release Id: 0<br>
++[ldap] returns ok<br id="yiv1167348323yui_3_2_0_14_1320159204640454">
...<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>How do I
reference this attribute in a perl script I call from post-auth? It's not
in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK... <o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>Actually, I
can't even figure out how to call it from the post-auth section itself.. I've
tried different things, but I'm thinking the following should work:<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>update reply{<br>
Reply-Message := "Type: %{reply:Person-Type}."<br>
}<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>Yet, I get:<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>...<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>+- entering
group post-auth {...}<br>
expand: Type: %{reply:Person-Type}.
-> Type: .<br>
++[reply] returns noop<br>
...<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>Is there
something else I need to do to make sure the values returned from the ldap
module are saved for reference outside the authorization block? <o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'>A.<o:p></o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
<div id="yiv1167348323yui_3_2_0_14_132015920464040">
<p class=MsoNormal style='background:white'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
</div>
</div>
</div>
</div>
</div>
</div>
<meta content=on http-equiv=x-dns-prefetch-control>
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
</body>
</html>