On 07/04/2013 04:35 AM, Patrick Gawthorne wrote:
update request {
Class = “%{Ldap-Group}”
}
You can't do that, because Ldap-Group is not a real attribute with a
value; it's a virtual attribute, which you compare against (think about
it - you can be in >1 group)
You would have to do something like this:
if (Ldap-Group = grp1) {
update reply {
Class = "grp1"
}
}
...which can be slow-ish as it does 1 LDAP query per comparison.
Also not Class is a reply attribute; adding it to request does nothing.
I did read somewhere if you included the Class variable within the reply
in the Access-Accept packet that it would be sent back and used within
the accounting messages as well but this hasn’t been the case for me.
Well, as noted above you're setting class in "request" not "reply".
Even if it’s just some static variable that I set within the
‘acct_users’ to get it to send the class attribute; this will achieve my
goal.
Assuming that the ‘users’ file and the ‘acct_users’ file have the same
behaviour then why can’t I set Class within the ‘acct_users’ file like I
can with ‘users’ file?
acct_users runs on accounting packets, which is *after* the
Access-Accept has been sent. You need to set it in "authorize" or better
yet, "post-auth", for it to get into the Access-Accept.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
