post-auth help to simplify

Alan DeKok aland at
Mon Aug 30 16:23:43 CEST 2021

On Aug 30, 2021, at 9:50 AM, Pizu <pizpower at> wrote:
> Users have multiple groups but only 1 RSSO Group per user.

  Then don't use LDAP-Group for this purpose.  There are other ways of getting the same result which are more efficient.

  Use the command-line "ldapsearch" tool to find an LDAP query which returns ONLY the RSSO group name for a user.  In recent versions of the server, there's documentation in mods-available/ldap on how to translate the "ldapsearch" command-line options to the "ldap" module configuration.

  Once you have the "ldapsearch" working, you can turn this into the FreeRADIUS configuration.  Use the ldapsearch string in a dynamic expansion:

	update control {
		Tmp-String-0 := "%{ldap:... search for RSSO group}"

  Now you have the name of the LDAP group in a variable. 

  if (Tmp-String-0 != "") {
       update reply {
                      &Tunnel-Type := "VLAN"
                      &Tunnel-Medium-Type := "IEEE-802
                      &Tunnel-Private-Group-Id := "943
                      &Class := "%{Tmp-String-0}"

  Alan DeKok.

More information about the Freeradius-Users mailing list