Want to include LDAP group information in Access-Accept message

Stefan Paetow Stefan.Paetow at ja.net
Tue Sep 9 17:35:43 CEST 2014


> I am wondering if I can set up FreeRadius to send back the LDAP groups that a user 
> is a member of. Authentication with LDAP should use the username. 

Yes.

> Is it possible to get FreeRadius to query the LDAP server to find the groups associated 
> with that username, then send this group list back to the connecting user in the Access-
> Accept message? 

Yes.

> Will this require a plugin? 

No. You can do this in the inner-tunnel (if you use EAP) and return the attribute(s) to the outer reply. You can either use an ldap xlat to retrieve information in the post-auth section (use ldapsearch to get your query right, then plug it into an ldap xlat (i.e. Attribute := "%{ldap:<ldapquery here>}"), or you can set up the ldap module right from the start, and it'll retrieve everything in one go. :-)

> Can someone give me some guidance on how to do this?



Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



More information about the Freeradius-Users mailing list