Config hints for providing list of groups in post-auth?

[Mike Ely]

On 06/06/2016 11:35 AM, Alan DeKok wrote:
> On Jun 6, 2016, at 2:29 PM, Mike Ely <me at mikeely.org> wrote:
>> I have a 3.0.4 machine successfully authenticating against Active Directory. For the use case I have in mind I'd like to have the Freeradius server add into post-auth something like:
>>
>> Group-Name:= "Domain Users",
>> Group-Name+= "All Staff",
>> etc.
>    Those are server-side attributes, and can't go into a RADIUS packet.
Good to know.
>
>> The idea here is that the NAS will be able to make its own decisions about what to grant based on group membership once radius has authenticated the user.
>    The NAS has to support this functionality.  If the NAS doesn't support it, then it's impossible.
We have full control over the NAS and what it supports.
>
>> I can parse the group list easily enough from the shell, but don't know how to get this into post-auth. Also, is Group-Name the best choice here or should I be using another attribute?
>    See your NAS documentation for how the NAS works.
>
>    If you're writing your own NAS, use a vendor-specific dictionary to define your own group attribute.
>
>    Alan DeKok.
>
Excellent - the dictionary part seems straightforward.

What I'm wondering is how to get the group membership from the OS into a 
radius packet. Is there some kind of command from unlang that can 
execute a shell command? I'm hoping for something along the lines of 
"exec mycommand.sh username" that returns an array of variables, in this 
case the list of group names.