Discussion:
Return User Groups in Class field
(too old to reply)
Alan DeKok
2018-11-14 15:59:02 UTC
Permalink
I use strongSwan to authenticate against FreeRadius which it does successfully but now I need FreeRadius to return the users groups in the Class field so strongSwan can check the User belongs to a group [1].
I've managed to work out how to add extra fields to the response by putting an update reply in the file /etc/raddb/sites-available/default
post-auth {
...
update reply {
Class = "%{Ldap-Group}"
The issue is that LDAP-Group isn't a real attribute. It's just used to *compare* things. e.g.

if (LDAP-Group == "sales") {

That *doesn't* grab all of the users groups and put them into the LDAP-Group attribute.
}
...
}
Is that the place to put it??
but as you can see below, the Class is null.
And if you read the *rest* of the debug output, you would see it expanding the LDAP group, and returning an empty string. Or maybe even an *error* saying that the LDAP-Group attribute wasn't found.

The solution is to just update Class directly:

if (LDAP-Group == "sales") {
update reply {
Class := "sales"
}
}

Alan DeKok.


-
List info/subscribe/unsubscribe? See ht

Loading...