Config hints for providing list of groups in post-auth?

Mike Ely me at
Tue Jun 7 20:29:51 CEST 2016

On 06/07/2016 08:55 AM, Alan DeKok wrote:
> On Jun 7, 2016, at 11:52 AM, Mike Ely <me at> wrote:
>> Intriguing. Are you aware of a way in "unlang" to pull all of a user's group memberships and present those in the reply to the NAS? It would certainly be easier to maintain compared to calling an external script.
>    In v3.0.x, you might as well use a shell script.
We have to stick with 3.0.x for now. I'm _this_ close here. I wrote a 
module that follows the pattern in the ntlm_auth module, and call it in 
post-auth. I can see it run successfully:

Program returned code (0) and output 'domain users,techs'
(0)  getadgroups : Program executed successfully
(0)   [getadgroups] = ok

The part I am conceptually lost on is how to get that program output - 
in the case of my test user 'domain users,techs' - into the main 
post-auth process so I can use "update reply" with whatever custom 
dictionary we settle on here.

How do I set a variable to the ouptut of this module? I've tried 
somevariable = "%{exec:/path/to/script etc etc}" in the module and then 
radius says [getadgroups] = noop

More information about the Freeradius-Users mailing list