Setting Class attribute by LDAP Groups
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 4 09:22:17 CEST 2013
On 07/04/2013 04:35 AM, Patrick Gawthorne wrote:
> update request {
>
> Class = “%{Ldap-Group}”
>
> }
You can't do that, because Ldap-Group is not a real attribute with a
value; it's a virtual attribute, which you compare against (think about
it - you can be in >1 group)
You would have to do something like this:
if (Ldap-Group = grp1) {
update reply {
Class = "grp1"
}
}
...which can be slow-ish as it does 1 LDAP query per comparison.
Also not Class is a reply attribute; adding it to request does nothing.
> I did read somewhere if you included the Class variable within the reply
> in the Access-Accept packet that it would be sent back and used within
> the accounting messages as well but this hasn’t been the case for me.
Well, as noted above you're setting class in "request" not "reply".
>
> Even if it’s just some static variable that I set within the
> ‘acct_users’ to get it to send the class attribute; this will achieve my
> goal.
>
> Assuming that the ‘users’ file and the ‘acct_users’ file have the same
> behaviour then why can’t I set Class within the ‘acct_users’ file like I
> can with ‘users’ file?
acct_users runs on accounting packets, which is *after* the
Access-Accept has been sent. You need to set it in "authorize" or better
yet, "post-auth", for it to get into the Access-Accept.
More information about the Freeradius-Users
mailing list