Hello,
I'm sorry for asking such a simple(?) thing, but my lack of understanding is
not due to a lack of reading, searching, trial-and-error... I just can't seem
to figure out how to reference an ldap attribute in post-auth. Using
freeradius 2.1.8, PEAPv0/EAP-MSCHAPv2 with AD for authentication and ldap for
authorization works great. As an added functionality, I need to send to the
NAS a few extra attributes based on an an ldap attribute "personType". I've
added mapping for this attribute, and here's a snippet of the debug output from
the authorize section of the virtual server:
...
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] personType -> Person-Type = "employee"
[ldap] personType -> Person-Type = "fulltime"
[ldap] personType -> Person-Type = "it"
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user tadam authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
...
How do I reference this attribute in a perl script I call from post-auth? It's
not in %RAD_REQUEST, %RAD_REPLY, or %RAD_CHECK...
Actually, I can't even figure out how to call it from the post-auth section
itself.. I've tried different things, but I'm thinking the following should
work:
update reply{
Reply-Message := "Type: %{reply:Person-Type}."
}
Yet, I get:
...
+- entering group post-auth {...}
expand: Type: %{reply:Person-Type}. -> Type: .
++[reply] returns noop
...
Is there something else I need to do to make sure the values returned from the
ldap module are saved for reference outside the authorization block?
A.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
