On 13 Mar 2013, at 10:52, Phil Mayers <p.may...@imperial.ac.uk> wrote:
> On 13/03/13 14:44, Robin Helgelin wrote: >> Hi! >> >> I want to add the LDAP-users current groups as extra attributes to the >> authentication reply. >> >> Is it possible? I'm having a hard time finding documentation about this. > > Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS > attribute, and add the RADIUS attribute to raddb/dictionary (taking care to > note the comments about numbering i.e. pick a number from 3000-3999). Don't > re-use an existing attribute - many of the xxGroup attribute have "magic" > behaviour hooks. Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group. This also doesn't really work if you want a group name, and the membership attributes specify a group DN, though it'd probably be pretty easy to figure out the group name later (you could even do it within unlang if you're using FR 3.0). Where you have the inverse, i.e. a group object specifying user names or user DNs the code doesn't currently support group retrieval, feel free to submit patches. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
