> > Update a server-side attribute when you use the module: > > update control { > Tmp-String-0 = "ldap-student" > } > > then in post-auth: > > if (control:Tm-String-0 == "ldap-student") { > ... > > } > I'm really grateful for all your help but it still doesn't work and after hours of experimenting, here's where I am:
I add if (control:Tmp-String-0 == "ldap-student") { update reply { Reply-Message := "User is student" } } To the end of the post-auth section and radiusd -X reports: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 53 to 10.127.240.217 port 1645 Fair enough - The user is authenticated but Tmp-String-0 hasn't been assigned a string. I add update control { Tmp-String-0 = "ldap-student" } To the beginning of the post-auth section and radiusd -X reports: ++[eap] returns ok +- entering group post-auth {...} ++[control] returns noop ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") ? Evaluating (control:Tmp-String-0 == "ldap-student") -> TRUE ++? if (control:Tmp-String-0 == "ldap-student") -> TRUE ++- entering if (control:Tmp-String-0 == "ldap-student") {...} +++[reply] returns noop ++- if (control:Tmp-String-0 == "ldap-student") returns noop Sending Access-Accept of id 101 to 10.127.240.217 port 1645 OK so far, so I move update control { Tmp-String-0 = "ldap-student" } To the authorise section thus: ldap_staff if (ok) { update reply { Reply-Message = "ldap-staff" } } else { ldap_student if (ok) { update control { Tmp-String-0 = "ldap-student" } } else { reject } } And I get: ++[eap] returns ok +- entering group post-auth {...} ++[exec] returns noop ++? if (control:Tmp-String-0 == "ldap-student") (Attribute control:Tmp-String-0 was not found) Sending Access-Accept of id 129 to 10.127.240.217 port 1645 Towards the beginning of the debug output is: rlm_ldap: Bind was successful rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=cmsxleig) [ldap_student] looking for check items in directory... [ldap_student] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap_student] user cmsxleig authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 +++[ldap_student] returns ok +++? if (ok) ? Evaluating (ok) -> TRUE +++? if (ok) -> TRUE +++- entering if (ok) {...} ++++[control] returns ok +++- if (ok) returns ok +++ ... skipping else for request 0: Preceding "if" was taken ++- else else returns ok ++[expiration] returns noop ++[logintime] returns noop Does "++++[control] returns ok" mean the string was successfully assigned? If so, how do I find where it gets lost? A search for ldap-s through the file only produces two matches, one where the string is assigned and the other where it is tested. Similarly a search for Tmp-Str only finds two matches. History | grep vi shows I haven't accidentally edited another file. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html