On 13 Mar 2013, at 15:45, Robin Helgelin <lob...@gmail.com> wrote: > On Wed, Mar 13, 2013 at 4:11 PM, Arran Cudbard-Bell > <a.cudba...@freeradius.org> wrote: >>> Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS >>> attribute, and add the RADIUS attribute to raddb/dictionary (taking care to >>> note the comments about numbering i.e. pick a number from 3000-3999). Don't >>> re-use an existing attribute - many of the xxGroup attribute have "magic" >>> behaviour hooks. >> >> Phili is correct, but this will only work for something like AD, where you >> have memberOf attributes which link a user account to a group. >> >> This also doesn't really work if you want a group name, and the membership >> attributes specify a group DN, though it'd probably be pretty easy to figure >> out the group name later (you could even do it within unlang if you're using >> FR 3.0). > > Thanks, we're using the memberof overlay, and that might be working. > > First problem is that I need to rewrite the output from ldap to > something the radius-client finds useful. But there are radius modules > for rewriting things right?
Um, yes, but you can probably just use unlang. > > Next problem seems to be that freeradius ignores when ldap is > returning more than one group, am I correct? Ignores what? If you're talking about an xlat query, then yes, it'll only provide the first result. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html