Add LDAP groups as extra attributes

[Robin Helgelin]

On Wed, Mar 13, 2013 at 4:11 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>> Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS attribute, and add the RADIUS attribute to raddb/dictionary (taking care to note the comments about numbering i.e. pick a number from 3000-3999). Don't re-use an existing attribute - many of the xxGroup attribute have "magic" behaviour hooks.
>
> Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group.
>
> This also doesn't really work if you want a group name, and the membership attributes specify a group DN, though it'd probably be pretty easy to figure out the group name later (you could even do it within unlang if you're using FR 3.0).

Thanks, we're using the memberof overlay, and that might be working.

First problem is that I need to rewrite the output from ldap to
something the radius-client finds useful. But there are radius modules
for rewriting things right?

Next problem seems to be that freeradius ignores when ldap is
returning more than one group, am I correct?

-- 
        regards,
        Robin