Hello all, I have a question regarding returning attributes from LDAP with freeRadius.
I need to do some logic comparing and the only way I have been able to get close is to use the post-auth section, enable 'exec' and push out some data to an external program were I can do some patter matching. Now I have this working just fine with LDAP, the DN and search filter is fine etc. What I want to do is return other attributes from LDAP to be included in the radius reply. I have added the following to "dictionary_mapping = ${raddbdir}/ldap.attrmap" checkItem employeeType employeeType When I run the server in debug mode, I see that it is in fact returning the value of the employeeType from LDAP. The question revolves around how to pass that out to my test program for validation? I have been able to pass out everything that is in the initial radius request, but nothing else. I have tried to modify the program line below to also send out %{employeeType} %{check:employeeType} %{request:employeeType} %{reply:employeeType} None of those work. I have even tried along the lines of %{modules.ldap.checkval} I can't seem to get it to work. Any help would be appreciated. Blow is a snip of the radius configuration file, and the little program I have seen in the user groups to echo out the responses that I am using to test. I have verified that if I return a '0' the request is accepted, and a '1' will reject the request... That part works fine. Also below is parts of the debug dump. I don't have the actual connection portion of the log as I am at a remote site currently, I can send that along also if people think it will be of benefit. Thanks for any assistance! - Reynold radius.conf ----------- exec { wait = yes input_pairs = request program = '${raddbdir}/test.sh %u %{Called-Station-Id}' } test.sh ------- #!/bin/bash echo "A: $1" echo "B: $2" echo "C: $3" exit 0 radiusd -X ---------- Module: Loaded exec exec: wait = yes exec: program = "/etc/raddb/test.sh %u %{Called-Station-Id}" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Loaded LDAP ldap: server = "<ldapserver>" ldap: port = 389 ldap: net_timeout = 1 ldap: timeout = 4 ldap: timelimit = 3 ldap: identity = "admin" ldap: tls_mode = no ldap: start_tls = no ldap: tls_cacertfile = "(null)" ldap: tls_cacertdir = "(null)" ldap: tls_certfile = "(null)" ldap: tls_keyfile = "(null)" ldap: tls_randfile = "(null)" ldap: tls_require_cert = "allow" ldap: password = "pwd" ldap: basedn = "base-dn" ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap: base_filter = "(objectClass=user)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "userpassword" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn})))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = no ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: LDAP employeeType mapped to RADIUS employeeType conns: 0x8115218 Module: Instantiated ldap (ldap) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html