Return User Groups in Class field
Alan DeKok
aland at deployingradius.com
Wed Nov 14 16:59:02 CET 2018
On Nov 14, 2018, at 8:26 AM, Christian Salway via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I use strongSwan to authenticate against FreeRadius which it does successfully but now I need FreeRadius to return the users groups in the Class field so strongSwan can check the User belongs to a group [1].
>
> I've managed to work out how to add extra fields to the response by putting an update reply in the file /etc/raddb/sites-available/default
>
> post-auth {
> ...
> update reply {
> Class = "%{Ldap-Group}"
The issue is that LDAP-Group isn't a real attribute. It's just used to *compare* things. e.g.
if (LDAP-Group == "sales") {
That *doesn't* grab all of the users groups and put them into the LDAP-Group attribute.
> }
> ...
> }
> Is that the place to put it??
>
> but as you can see below, the Class is null.
And if you read the *rest* of the debug output, you would see it expanding the LDAP group, and returning an empty string. Or maybe even an *error* saying that the LDAP-Group attribute wasn't found.
The solution is to just update Class directly:
if (LDAP-Group == "sales") {
update reply {
Class := "sales"
}
}
Alan DeKok.
More information about the Freeradius-Users
mailing list