Referencing LDAP attributes in post-auth

Adam Track adamtrack at
Tue Nov 1 19:35:31 CET 2011


I'm sorry for asking such a simple(?) thing, but my lack of understanding is not due to a lack of reading, searching, trial-and-error... I just can't seem to figure out how to reference an ldap attribute in post-auth.  Using freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for authorization works great.  As an added functionality, I need to send to the NAS a few extra attributes based on an an ldap attribute "personType".  I've added mapping for this attribute, and here's a snippet of the debug output from the authorize section of the virtual server:

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] personType -> Person-Type = "employee"
  [ldap] personType -> Person-Type = "fulltime"
  [ldap] personType -> Person-Type = "it"
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user tadam authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok

How do I reference this attribute in a perl script I call from post-auth?  It's not in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK...  

Actually, I can't even figure out how to call it from the post-auth section itself.. I've tried different things, but I'm thinking the following should work:

update reply{
                Reply-Message := "Type: %{reply:Person-Type}."

Yet, I get:

+- entering group post-auth {...}
        expand: Type: %{reply:Person-Type}. -> Type: .
++[reply] returns noop

Is there something else I need to do to make sure the values returned from the ldap module are saved for reference outside the authorization block?  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list