Hi, I tried to return the value of Filter-ID as:
authorize { ... ldap if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) { update control { Tmp-String-1 := "%{1}" } } ... } post-auth { update reply { Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}" } } In my active directory I have the attribute named "distinguishedName" which I am using inside "if" statement. If I use "Ldap-UserDN" attribute inside "if" statement (as suggested) it says: "No attribute named Ldap-UserDN". *Example*: In Active Directory "distinguishedName" attribute for the user is listed as: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com But, when I run in debug mode I see: while checking the "if" condition; it shows: ++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) ? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE ++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE *Why this "if" condition is being evaluated as FALSE?* And it returns the post-auth value as: Filter-Id = "Enterasys:version=1:policy=" It doesn't return anything as: staff, administrators, etc for policy. The part of debug mode output and radtest are as shown below: ##Debug mode output: #radiusd -X : rad_recv: Access-Request packet from host 127.0.0.1 port 43666, id=225, length=80 User-Name = "test" User-Password = "hello" NAS-IP-Address = IP Address NAS-Port = 0 Message-Authenticator = 0x8ab06794e7069587309aa626d315269e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [ldap] performing user authorization for test [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> test [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=test) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to server.example.com:389, authentication 0 [ldap] bind as cn=test,ou=Staff,ou=Employees,ou=Users,dc=example,dc=com/hello to server.example.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (sAMAccountName=test) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) ? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE ++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = LDAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "test" with password "hello" [ldap] user DN: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com [ldap] (re)connect to server.example.com:389, authentication 1 [ldap] bind as CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com/hello to server.example.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user test authenticated succesfully ++[ldap] returns ok Login OK: [test] (from client localhost port 0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} expand: Enterasys:version=1:policy=%{control:Tmp-String-1} -> Enterasys:version=1:policy= ++[reply] returns noop ++[exec] returns noop Sending Access-Accept of id 225 to 127.0.0.1 port 43666 Filter-Id = "Enterasys:version=1:policy=" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 225 with timestamp +8 Ready to process requests. ##radtest output: #radtest test hello localhost 0 testing123 Sending Access-Request of id 225 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "hello" NAS-IP-Address = IP Address NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=225, length=49 Filter-Id = "Enterasys:version=1:policy=" Please correct me If I am doing something wrong. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-value-for-the-users-in-Active-Directory-tp5155068p5158499.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html