FR Developer for hire: Adding Accounting support to the rlm_ldap module?

Peter Lambrechtsen peter at
Thu May 3 11:09:48 CEST 2012


I was wanting to know if someone would be interested in being paid to add
"accounting" support into the RLM_LDAP module.

For this I am wanting when calling the ldap module during the "accounting"
section so it can update/delete records in the LDAP directory based on the
Acct-Status-Type and using a new field type into the ldap.attrmap.  Ideally
I would be looking for when you get an accounting Start it adds or updates
an attribute, for an Interim-Update also add/update and for a Stop then
removes the attribute.

In the ldap.attrmap the following ItemType should be extended to support
both accounting start / interim update and stop verbs over and above the
current checkItem/replyItem.

checkItem    NAS-IP-Address            radiusNASIpAddress
replyItem    Framed-IP-Address        radiusIpAddress
acctStartItem     NAS-Port-Id      radiusNASPortId
acctIntUpdItem         NAS-Port-Id      radiusNASPortId
acctStopItem     NAS-Port-Id      radiusNASPortId

This would mean that when an accounting start packet came through the same
LDAP Filter lookup used for the authenticate & authorize would be done for
the customer record and query for the acctStartItem attributes if the
accounting request had the matching VSA then the LDAP Module would do a
LDAP replace attribute or if the attribute didn't exist do a ldap add
attribute.  The same applies for an Interim-Update and subsequently for a
stop packet remove the attribute from the directory if it exists.
The wrinkle with LDAP is you can't always do a LDAP add, you need to use
replace if the attribute exists.

I've written this in Perl and it works reasonably well but it would be
ideal to have this working inside ldap as then the custom perl code I wrote
wouldn't be needed.  Below is the perl i've written.

    my $ldap = Net::LDAP->new ( "" ) or die "$@";
    my $mesg = $ldap->bind ( "cn=admin,o=admin", password => "password",
version => 3 );
    my $attrs = [ 'radiusNASPortId' ];
    my $result = $ldap->search ( base   => "o=Identities", scope => "sub",
                               filter =>
                               attrs  => $attrs );
    my $attrcount = $result->count;
    if ($result->count > 0) {
        my @entries = $result->entries;
        my $userdn = @entries[0]->dn;
        my $sessionfound = @entries[0]->exists('radiusNASPortId');
        if ( $RAD_REQUEST{'Acct-Status-Type'} =~ "Start" ) {
             if ( @entries[0]->exists('radiusNASPortId') ) {
                my $newresult = $ldap->modify($userdn , replace => {
'radiusNASPortId' => "$RAD_REQUEST{'NAS-Port-Id'}" } );
            } else {
                my $newresult = $ldap->modify($userdn , add => {
'radiusNASPortId' => "$RAD_REQUEST{'NAS-Port-Id'}" } );
        if ( $RAD_REQUEST{'Acct-Status-Type'} =~ "Stop" ) {
             if ( @entries[0]->exists('radiusNASPortId') ) {
                my $newresult = $ldap->modify($userdn ,    delete => {
'radiusNASPortId' => [] } );

To get someone who is familiar with the freeradius code base and can write
code which would be acceptable to be committed back into the mainline FR
codebase as this should be code contributed back to the community.

How much development effort would be required (x days?) and who would be
interested in being paid (and how much) to do the work?

Feel free to email me directly off list if you're interested.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Devel mailing list