Il 12/01/2018 17:12, Alan DeKok ha scritto:
You can do it. But you need to have the query return one object... as the error message tells you.
so I fixed my queries. I used something like &FreeRADIUS-Client-Secret = "%{ldap:ldap:///BASEDN?radiusClientSecret?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}" instead of &FreeRADIUS-Client-Secret = "%{ldap:ldap:///BASEDN?radiusClientSecret,objectClass?one?(radiusClientIdentifier=%{Packet-Src-IP-Address})}" And I've been able to send the auth request to a virtual server where I reply a CISCO auth level looking for user's LDAP attributes. Something like: if ("%{ldap:ldap://127.0.0.1/BASEDN?objectClass?one?(&(o=ciscoAdminGroup1)(cn=%{User-Name}))}") { update reply { Reply-Message += "Hello ciscoAdminGroup1 member!" Cisco-AVPair += "shell:priv-lvl=15" } I'm not done yet. But wanted to share the result. Regards, Giuseppe