How to use LDAP Group attributes in post-auth section?

Wed Jan 8 19:57:58 CET 2020

Hi, Alan!
Thanks again for very quick help. Some comments:

   > You can do an LDAP query, off the time limits are in LDAP.

Is there any hook in the LDAP module for that? Or do you mean to call a 
subprocess
like " `ldapsearch ......` " in the post-auth section? Guess this has 
performance disadvantages
because it would be called by each user login.
Is there a freeradius initialization module which can be used for this 
query to do it once only?

Thanks
Uwe

On 08.01.2020 19:14, Alan DeKok wrote:
> On Jan 8, 2020, at 12:26 PM, uj2.hahn at posteo.de wrote:
>> Hi!
>> I use freeradius 3.0.17 with LDAP module for a school.
>> There are different LDAP groups (e.g. students and teacher).
>> WLAN login time should be limited but differently for different groups.
>> In freeradius I already extracted the LDAP group the user belongs to and I know
>> how to limit  the logintime (Current-Time == "wk1602-0800") or so.
>> But of course I don't want to hardcode the group specific time strings.
>> Idea is to define group attributes in LDAP which contain these strings.
>>
>> - Is it possible to map _group _specific attributes into LDAP module of freeradius,
>>    may be some code snippets as template....
>    You can do an LDAP query, off the time limits are in LDAP.
>
>> - so far I use OpenLDAP as training vehicle. Here I can add a radius scheme. But
>>    final solution has to be (existing) Active Directory. Is above method usable there
>>    as well?
>    Sure, if you extend the schema.
>
>> - May be there is a completely different solution out there I'm not aware of.
>>    Any hints are very welcome!
>    TBH, the time limit format is very RADIUS specific.  It's best to put the rules into FreeRADIUS:
>
> 	if (LDAP-Group == "students")  {
> 		update reply {
> 			Login-Time := "wk0900-1600"
> 		}
> 	}
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html