populate a reply with ldap generic attributes

[Nicolas Edel]

On Mon, Nov 10, 2014 at 10:22 AM, Nicolas Edel <nicolas.edel at gmail.com> wrote:
> Hi,
> Using LDAP for both autorization and authentification, I learnt how to
> populate a reply request with generics in the autorize. Works fine.
> Now I am wondering if it would be possible to populate the reply with
> generics using a dn specified in an ldap attribute. The goal of this
> is to have predefined profiles to specify user rights (such as
> read-only, operator, admin, etc) specified only once and to refer to
> them into the user profile. Since these are generic attributes (of
> type radiusAttribute), I can't see anyway to use xlat for this.
> I would be pleased if someone could provide me any hint.
> Thanks.
>
> :Nicolas

To be more precise, the only solution I found for now is to use
LDAP-Group comparison in post-auth and then updating reply according
to the selected group. Eg:

post-auth {
        if (control:LDAP-Group ==
"cn=cisco_readonly,ou=groups,ou=radius,dc=foo,dc=bar") {
                update reply {
                        Cisco-AVPair = "shell:priv-lvl=1"
                }
        }
}

Now I'd like to retrieve the attributes (in post-auth or other, no
matter) from within the directory itself instead of hard-coding them
in the radius configuration. This is not a show stopper but it would
really help.
Thanks,

:Nicolas