Setting Class attribute by LDAP Groups

Phil Mayers p.mayers at
Thu Jul 4 09:22:17 CEST 2013

On 07/04/2013 04:35 AM, Patrick Gawthorne wrote:

> update request {
>                  Class = “%{Ldap-Group}”
> }

You can't do that, because Ldap-Group is not a real attribute with a 
value; it's a virtual attribute, which you compare against (think about 
it - you can be in >1 group)

You would have to do something like this:

   if (Ldap-Group = grp1) {
     update reply {
       Class = "grp1"

...which can be slow-ish as it does 1 LDAP query per comparison.

Also not Class is a reply attribute; adding it to request does nothing.

> I did read somewhere if you included the Class variable within the reply
> in the Access-Accept packet that it would be sent back and used within
> the accounting messages as well but this hasn’t been the case for me.

Well, as noted above you're setting class in "request" not "reply".

> Even if it’s just some static variable that I set within the
> ‘acct_users’ to get it to send the class attribute; this will achieve my
> goal.
> Assuming that the ‘users’ file and the ‘acct_users’ file have the same
> behaviour then why can’t I set Class within the ‘acct_users’ file like I
> can with ‘users’ file?

acct_users runs on accounting packets, which is *after* the 
Access-Accept has been sent. You need to set it in "authorize" or better 
yet, "post-auth", for it to get into the Access-Accept.

More information about the Freeradius-Users mailing list