Referencing LDAP attributes in post-auth

Alan DeKok aland at deployingradius.com
Sat Dec 10 10:48:09 CET 2011


Adam Track wrote:
> I recently saw another question along the same lines as this, so decided
> to give this another go...
> Am now running 2.1.10, and yes, Person-Type is defined in dictionary and
> ldap.attrmap.  I've also defined in dictionary the following in hopes of
> passing on the value of Person-Type to this attribute:
> 
> ATTRIBUTE       Person-Group                3001    string
> 
> For the (outer) virtual server, in the authorize block I have the following:
>        ...
>        ldap
>         update control {
>                 Person-Group = "%{reply:Person-Type}"
>         }

  That should work.

> In post-auth:
>      ...
>      update reply {
>                Reply-Message := "You are %{control:Person-Group}."
>         }
>      ...

  And that should work too.

> I still cannot figure out how to pass this value from authorize to
> post-auth.

  It works for PAP.  The only reason it doesn't work is you're running
EAP, and that's more complicated.

>  BTW, this is a multi-valued attribute, so what I'm really
> trying to do is to call a perl script in post-auth to iterate through
> all possible values, and set vlan based on whether a particular value
> exists, thus shouldn't be done within authroize. Debug attached (I
> hope).. can't seem to post with it on here due to 100KB limit.

  There's no need for a 100KB debug output.  Try a *simple* test.

  Alan DeKok.



More information about the Freeradius-Users mailing list