Referencing LDAP attributes in post-auth
Adam Track
adamtrack at rocketmail.com
Tue Nov 1 19:35:31 CET 2011
Hello,
I'm sorry for asking such a simple(?) thing, but my lack of understanding is not due to a lack of reading, searching, trial-and-error... I just can't seem to figure out how to reference an ldap attribute in post-auth. Using freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for authorization works great. As an added functionality, I need to send to the NAS a few extra attributes based on an an ldap attribute "personType". I've added mapping for this attribute, and here's a snippet of the debug output from the authorize section of the virtual server:
...
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] personType -> Person-Type = "employee"
[ldap] personType -> Person-Type = "fulltime"
[ldap] personType -> Person-Type = "it"
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user tadam authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
...
How do I reference this attribute in a perl script I call from post-auth? It's not in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK...
Actually, I can't even figure out how to call it from the post-auth section itself.. I've tried different things, but I'm thinking the following should work:
update reply{
Reply-Message := "Type: %{reply:Person-Type}."
}
Yet, I get:
...
+- entering group post-auth {...}
expand: Type: %{reply:Person-Type}. -> Type: .
++[reply] returns noop
...
Is there something else I need to do to make sure the values returned from the ldap module are saved for reference outside the authorization block?
A.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111101/c5dc36cb/attachment.html>
More information about the Freeradius-Users
mailing list