LDAP Xlat with multiple results
Alan DeKok
aland at deployingradius.com
Fri Jun 1 15:28:07 CEST 2012
Francois Gaudreault wrote:
> I have an LDAP xlat query to populate the Ldap-Group attribute
No.
You can't do that.
LDAP-Group is a *comparison* operator. It's meaning and behavior is
defined. It does LDAP queries to check group membership against the
string you return.
DO NOT use it for any other purpose.
> in order
> to do crazy stuff with the group membership (out of scope to explain you
> what kind of crazy stuff). The issue I have is that the query may
> return multiple group membership lines.
>
> update request {
> Ldap-Group +=
> "%{ldap:ldap:///dc=inverse,dc=local?memberOf?sub?sAMAccountName=%u}"
> }
>
> My question is, how can the Ldap-Group be listed for each result the
> query return? ie.
> Ldap-Group = "cn=group1,dc=inverse,dc=local"
> Ldap-Group = "cn=group2,dc=inverse,dc=local"
>
> Right now, the Ldap-Group will only contain the first group of the list.
(1) use a different attribute. Using LDAP-Group is wrong.
(2) the %{ldap:...} query returns a one-line string. You *cannot*
have it return more data. You *cannot* automatically create multiple
attributes from one strings worth of data.
This problem requires a real programming language. Use Perl.
Alan DeKok.
More information about the Freeradius-Users
mailing list