User-Profile per user per NAS via LDAP? [SEC=UNCLASSIFIED]

Ranner, Frank MR Frank.Ranner at defence.gov.au
Wed Jul 23 09:08:51 CEST 2008 

UNCLASSIFIED


Running version 2.0.5, with LDAP backend for
authentication/authorization.

Needed functionality: A single user account needs a different
ldap/radius profile depending on which huntgroup the request is coming
in on... the reason is that each user has a different Framed-IP-Address
for each VPN concentrator they are coming in on.  So each user needs a
profile per NAS, I believe.

I have separated out each NAS into its appropriate huntgroup, and am
matching on that in the users file.  Also trying to dynamically set the
User-Profile.

DEFAULT Huntgroup-Name == jup-rtr-xauth, Ldap-Group ==
`cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`,
User-Profile :=
`uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,
dc=net`
        Fall-Through = no

(entire users file at the end of this message).

The user is authenticated successfully (so the group matching and the
%{Huntgroup-Name} expansion are working fine), but the User-Profile is
not being set.  If I hard code in the value for uid, it works, so the
problem is in the variable.

 
I had a similar problem and ended up using a rewrite rule to solve it.
For 1.1.x here is the rule I used to derive a dn from a huntgroup:
 
       attr_rewrite uprof {
               attribute = User-Profile
                # may be "packet", "reply", "proxy", "proxy_reply" or
"config"
               searchin = config
               searchfor = ""
               replacewith = "cn=%{Huntgroup-Name},ou=Profiles,dc=..."
               ignore_case = no
               new_attribute = yes
               max_matches = 10
               append = no
        }

The call to uprof is in the authorize section. I placed it after 'files'
and before 'ldap'.
So setting the replacewith =
"uid=%{User-Name},ou=%{Huntgroup-Name},ou=Profiles,ou=Radius,dc=geowirel
ess,dc=net" should do exactly what you want.
 
However, using FR 2.x you can probably use unlang to do the same thing
in a much clearer manner.
 
regards,
Frank Ranner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080723/3cf4ba1b/attachment.html>

More information about the Freeradius-Users mailing list