I wonder if its possible to do ldap lookups when handling accounting (start)
packets? This would likely mean adding an "ldap" entry to the accounting{}
section of the radiusd.conf file.
At the moment I am calling an external script from the acct-users file usingg:
DEFAULT Acct-Status-Type == Start
Exec-Program = "/etc/freeradius/scripts/acct_start.py
%{User-Name}"
but this is inefficient as i want to only start an external interpreter if an
ldap attribiute is set to certain values. if the freeradius daemon, which holds
open sessions to the ldap server, can re-use those connections during the
accounting phase, and the acct-users file could restrict calling the external
code based on those attributes ... something like:
DEFAULT Acct-Status-Type == Start, Ldap_Attribute == My_Specific_Value_1
Exec-Program = "/etc/freeradius/scripts/acct_start.py
%{User-Name}"
DEFAULT Acct-Status-Type == Start, Ldap_Attribute == My_Specific_Value_2
Exec-Program = "/etc/freeradius/scripts/acct_start.py
%{User-Name}"
i've not found anyone try this.
is it a bad idea to try to get the "rlm_ldap" module called from the
accounting{} section? can the returned attributes be mapped or accessed such as
{%ldap:Attribue_Name} or similar?
I'm prepared to do some development work to get this working - i know that when
i last looked at freeradius 1.0.2 accessing ldap attributes from the users
files was not possible.
any ideas or comments or pointers would be gratefully received
tariq
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
