Config hints for providing list of groups in post-auth?

Mike Ely me at
Tue Jun 7 20:45:24 CEST 2016

On 06/07/2016 11:29 AM, Mike Ely wrote:
> On 06/07/2016 08:55 AM, Alan DeKok wrote:
>> On Jun 7, 2016, at 11:52 AM, Mike Ely <me at> wrote:
>>> Intriguing. Are you aware of a way in "unlang" to pull all of a 
>>> user's group memberships and present those in the reply to the NAS? 
>>> It would certainly be easier to maintain compared to calling an 
>>> external script.
>>    In v3.0.x, you might as well use a shell script.
> We have to stick with 3.0.x for now. I'm _this_ close here. I wrote a 
> module that follows the pattern in the ntlm_auth module, and call it 
> in post-auth. I can see it run successfully:
> Program returned code (0) and output 'domain users,techs'
> (0)  getadgroups : Program executed successfully
> (0)   [getadgroups] = ok
> The part I am conceptually lost on is how to get that program output - 
> in the case of my test user 'domain users,techs' - into the main 
> post-auth process so I can use "update reply" with whatever custom 
> dictionary we settle on here.
> How do I set a variable to the ouptut of this module? I've tried 
> somevariable = "%{exec:/path/to/script etc etc}" in the module and 
> then radius says [getadgroups] = noop
Nevermind, figured it out. Here's where backticks are useful, put the 
following into my post-auth:
         update reply {
                 Reply-Message := `/usr/local/bin/groupparser %{User-Name}`

Note: am using Reply-Message as a placeholder for now. And it works!

More information about the Freeradius-Users mailing list