RE: User-Profile per user per NAS via LDAP? [SEC=UNCLASSIFIED]
UNCLASSIFIED
Running version 2.0.5, with LDAP backend for
authentication/authorization.
Needed functionality: A single user account
needs a different ldap/radius profile depending on which huntgroup the request
is coming in on... the reason is that each user has a different
Framed-IP-Address for each VPN concentrator they are coming in on. So each
user needs a profile per NAS, I believe.
I have separated out each NAS
into its appropriate huntgroup, and am matching on that in the users file.
Also trying to dynamically set the User-Profile.
DEFAULT Huntgroup-Name
== jup-rtr-xauth, Ldap-Group ==
`cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`, User-Profile
:=
`uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,dc=net`
Fall-Through = no
(entire users file at the end of this
message).
The user is authenticated successfully (so the group matching
and the %{Huntgroup-Name} expansion are working fine), but the User-Profile is
not being set. If I hard code in the value for uid, it works, so the
problem is in the variable.
I had a similar problem and ended up using a rewrite rule
to solve it. For 1.1.x here is the rule I used to derive a dn from a
huntgroup:
attr_rewrite uprof
{
attribute =
User-Profile
# may be "packet", "reply", "proxy", "proxy_reply" or
"config"
searchin =
config
searchfor =
""
replacewith =
"cn=%{Huntgroup-Name},ou=Profiles,dc=..."
ignore_case =
no
new_attribute =
yes
max_matches =
10
append = no
}
The call to uprof is in the authorize section. I placed it
after 'files' and before 'ldap'.
So setting the replacewith = "uid=%{User-Name},ou=%{Huntgroup-Name},ou=Profiles,ou=Radius,dc=geowireless,dc=net"
should do exactly what you want.
However, using FR 2.x you can probably use unlang to do the
same thing in a much clearer manner.
regards,
Frank Ranner
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.