Add LDAP groups as extra attributes
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Mar 13 16:11:14 CET 2013
On 13 Mar 2013, at 10:52, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 13/03/13 14:44, Robin Helgelin wrote:
>> Hi!
>>
>> I want to add the LDAP-users current groups as extra attributes to the
>> authentication reply.
>>
>> Is it possible? I'm having a hard time finding documentation about this.
>
> Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS attribute, and add the RADIUS attribute to raddb/dictionary (taking care to note the comments about numbering i.e. pick a number from 3000-3999). Don't re-use an existing attribute - many of the xxGroup attribute have "magic" behaviour hooks.
Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group.
This also doesn't really work if you want a group name, and the membership attributes specify a group DN, though it'd probably be pretty easy to figure out the group name later (you could even do it within unlang if you're using FR 3.0).
Where you have the inverse, i.e. a group object specifying user names or user DNs the code doesn't currently support group retrieval, feel free to submit patches.
-Arran
More information about the Freeradius-Users
mailing list