"Conditional" LDAP Profile

CJ cjl at viptalk.net
Sun Aug 5 22:00:15 CEST 2007


Using 1.1.6 out of FreeBSD ports (no 1.1.7 yet).

Looking to use LDAP-stored attributes conditionally based on hints:

I start here in hints:

      DEFAULT Prefix == "static:", Strip-User-Name = Yes
              Hint = "STATIC",
              Service-Type = Framed-User,
              Framed-Protocol = PPP

      DEFAULT
              Service-Type = Framed-User,
              Framed-Protocol = PPP

That works fine.  Then we go to users:

      DEFAULT Auth-Type = LDAP
              Fall-Through = 1

      DEFAULT Service-Type == Framed-User
              Framed-IP-Address = 255.255.255.254,
              Framed-MTU = 576,
              Service-Type = Framed-User,
              Fall-Through = Yes

      DEFAULT Framed-Protocol == PPP
              Framed-Protocol = PPP,
              Framed-Compression = Van-Jacobson-TCP-IP,
              Fall-Through = Yes

      DEFAULT Hint == "STATIC", User-Profile :=
     `uid=%u,ou=dialup,ou=radius,domain=example.com,dc=example,dc=com`
            Reply-Message = `%u`

It appears that my User-Profile := `DN` does not go through  
radius_xlat and my %u variable in the check item is never expanded.   
Is this expected behavior?

If I hard-code the DN with the user-name instead of %u it works  
great, but won't solve my problem.

I got the idea from the rlm_ldap doc:

     ...it can be set through the hints file in the authorize section:

     DEFAULT Ldap-UserDN := `uid=%{User- 
Name},ou=people,dc=company,dc=com`

Any thoughts or guidance or clarity on LDAP profile usage appreciated.



More information about the Freeradius-Users mailing list