Referencing LDAP attributes in post-auth

Gary Gatten Ggatten at
Tue Nov 1 19:44:47 CET 2011

I'm just guessing, and could be WAY off, but may be an inner-tunnel vs. outer-tunnel thing.  I think there's an option to copy inner-tunnel attribs to outer-tunnel attribs.  Maybe start searching in those areas and wait for someone that actually known something about FR to reply.  I used to know a LITTLE bit, but I hardly touch it anymore and find myself forgetting all but the very basics.


From: at [ at] On Behalf Of Adam Track
Sent: Tuesday, November 01, 2011 1:36 PM
To: ' freeradius-users at'
Subject: Referencing LDAP attributes in post-auth


I'm sorry for asking such a simple(?) thing, but my lack of understanding is not due to a lack of reading, searching, trial-and-error... I just can't seem to figure out how to reference an ldap attribute in post-auth.  Using freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for authorization works great.  As an added functionality, I need to send to the NAS a few extra attributes based on an an ldap attribute "personType".  I've added mapping for this attribute, and here's a snippet of the debug output from the authorize section of the virtual server:

[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
  [ldap] personType -> Person-Type = "employee"
  [ldap] personType -> Person-Type = "fulltime"
  [ldap] personType -> Person-Type = "it"
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user tadam authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok

How do I reference this attribute in a perl script I call from post-auth?  It's not in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK...

Actually, I can't even figure out how to call it from the post-auth section itself.. I've tried different things, but I'm thinking the following should work:

update reply{
                Reply-Message := "Type: %{reply:Person-Type}."

Yet, I get:

+- entering group post-auth {...}
        expand: Type: %{reply:Person-Type}. -> Type: .
++[reply] returns noop

Is there something else I need to do to make sure the values returned from the ldap module are saved for reference outside the authorization block?


<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list