Multi-valued LDAP attribute
Alan DeKok
aland at deployingradius.com
Wed May 2 20:32:44 CEST 2012
Adam Track wrote:
> I'm still having no luck trying to get all of the values off this
> multi-valued attribute.. I believe I've got the perl syntax correct but
> when I try to dereference @{$RAD_REPLY{'Person-Type'}} to check through
> all values, I get:
>
> rlm_perl: perl_embed:: module = /etc/freeradius/groupcheck.pl , func =
> post_auth exit status= Can't use string ("employee") as an ARRAY ref
> while "strict refs" in use at /etc/freeradius/groupcheck.pl line 112.
This is really a Perl question.
> But again, all three values are returned:
>
> ...
> [ldap] looking for reply items in directory...
> [ldap] personType -> Person-Type = "employee"
> [ldap] personType -> Person-Type = "fulltime"
Read raddb/ldap.attrmap. This is documented.
> I did notice the following in the post-auth debug:
...
> So, for Person-Type, only the one value, employee, is passed to the perl
> module? Shouldn't there be another two lines of this for the other two
> values?
No. The default operator for the LDAP attribute mapping is '='. If
you want '+=', edit ldap.attrmap.
This has been in ldap.attrmap, *and* documented there since 2004. If
you're editing the file to add "personType", the PLEASE READ THE FILE.
Alan DeKok.
More information about the Freeradius-Users
mailing list