ldap xlat syntax
Alan DeKok
aland at deployingradius.com
Fri Apr 26 20:21:00 UTC 2024
On Apr 26, 2024, at 3:42 PM, Christopher Nighswonger <chris.nighswonger at gmail.com> wrote:
> (12) update reply {
> (12) ERROR: Parsing LDAP URL failed
> (12) EXPAND AD-Group:
> %{ldap:ldap:///cn=Users,dc=foo,dc=bar,dc=com?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))?sAMAccountName}
> (12) --> AD-Group:
> (12) Reply-Message += AD-Group:
FreeRADIUS is just calling the OpenLDAP APIs to parse that URL. So if it fails, it's because OpenLDAP doesn't like the URL.
Looking at it closely, you have 3 "/", not 2.
> Questions:
>
> 1. Is this sort of query possible using ldap xlat?
Yes.
> 2. If so, am I missing something obvious?
>
> 3. Is there a way to test/debug ldap xlat expressions which is more
> efficient/simple than embedding them in the config and testing?
Use ldapsearch and/ldapurl from OpenLDAP.
Or, just update the config & run the server in debug mode.
Alan DeKok.
More information about the Freeradius-Users
mailing list