EXEC question w/ LDAP Attributes

[Reynold McGuire]

Hello all,

I have a question regarding returning attributes from LDAP with freeRadius.

I need to do some logic comparing and the only way I have been able to get
close is to use the post-auth section, enable 'exec' and push out some data
to an external program were I can do some patter matching.

Now I have this working just fine with LDAP, the DN and search filter is
fine etc. What I want to do is return other attributes from LDAP to be
included in the radius reply.

I have added the following to "dictionary_mapping =
${raddbdir}/ldap.attrmap"

checkItem       employeeType        employeeType


When I run the server in debug mode, I see that it is in fact returning the
value of the employeeType from LDAP. The question revolves around how to
pass that out to my test program for validation?

I have been able to pass out everything that is in the initial radius
request, but nothing else.

I have tried to modify the program line below to also send out

%{employeeType}
%{check:employeeType}
%{request:employeeType}
%{reply:employeeType}

None of those work. I have even tried along the lines of
%{modules.ldap.checkval} 

I can't seem to get it to work.

Any help would be appreciated.

Blow is a snip of the radius configuration file, and the little program I
have seen in the user groups to echo out the responses that I am using to
test.

I have verified that if I return a '0' the request is accepted, and a '1'
will reject the request... That part works fine. Also below is parts of the
debug dump.

I don't have the actual connection portion of the log as I am at a remote
site currently, I can send that along also if people think it will be of
benefit.

Thanks for any assistance!
- Reynold



radius.conf
-----------
        exec {
                wait = yes
                input_pairs = request
                program = '${raddbdir}/test.sh %u %{Called-Station-Id}'
        }


test.sh
-------
#!/bin/bash
echo "A: $1"
echo "B: $2"
echo "C: $3"
exit 0


radiusd -X
----------

Module: Loaded exec 
 exec: wait = yes
 exec: program = "/etc/raddb/test.sh %u %{Called-Station-Id}"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?


Module: Loaded LDAP 
 ldap: server = "<ldapserver>"
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = "admin"
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = "pwd"
 ldap: basedn = "base-dn"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectClass=user)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "userpassword"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP employeeType mapped to RADIUS employeeType
conns: 0x8115218
Module: Instantiated ldap (ldap)