Hi everyone, I'm trying to wrap my head around this, digging in the archives and the wiki with no luck, so I'm looking for a few pointers. We are currently using freeradius to to proxy requests to a central One-Time-password server (which is outside our control). This is purely authentication, we send the cleartext token we received from the NAS, they check and either reject or reply. (The only reason we do this is because the upstream organization is not willing to deal with the administration of the NASes and we've been asked to aggregate traffic) Now with a new solution I also need to query a central ldap database for authorization info: I need to get a given attribute off of user records and present them to the NAS. I was pointing my finger at Filter-Id, but purely because the NAS docs points at it, it could really be anything. If I omit the proxy part, then it's just a straightforward ldap config with adding the attribute as a reply Item mapped to Filter-ID in the ldap.attrmap with +=, getting rid of reading the userPassword so that no one tries to auth against the password there and enable ldap in the authorize section. However, when I then proxy the request these extra Filter-Ids are lost: they are neither proxied (which is just as well, I really don't know what would the homeserver do about it) nor are they sent in my reply. I've found traces of something like this being discussed that this is because there is a separate data structure, but that is over a decade old, and I'm a bit confused on how this supposed to work. Is there a way to keep does attributes (or to get them after proxying, either in post-proxy or post-auth maybe?) by using rlm_ldap? I could probably write a short perl that queries this directly in post-auth, but basically the reason I want to do this in radius instead of the NAS is because I would need a mild hack on my networking to allow it to directly reach the ldap, so I though that, the radius box can reach the ldap, it can talk ldap, the nas is connected anyway.. But if it's troublesome with radius, then I'd rather not hack it. Does anyone have a pointer on what track should I go down? Thanks! tamas