pulling dn for User-Profile from ldap
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Jul 4 20:05:09 CEST 2013
On 4 Jul 2013, at 18:33, Martin Kraus <lists_mk at wujiman.net> wrote:
> Hi.
> I'd like to give users an option to specify which network to connect to
> using something like
>
> helpdesk\username at realm
> admins\username at realm
>
> I was thinking of stripping the network part in hints and saving it in a
> variable say Preferred-Network and then match on it in users
>
> DEFAULT Ldap-Group="%{Preferred-Network}" User-Profile := "%{Profile-DN}"
>
That's missing a comma.
> Profile-DN would be matched to seeAlso in ldap.attr
You mean mapped?
Don't try and use the users file for complex stuff like this.
In your profile objects add an attribute for preferredNetwork.
Use ldap xlat to search in the directory for an profile object with a preferredNetwork attribute which matches the stripped path of the username, specify DN as the attribute to retrieve.
Something like:
authorize {
update control {
User-Profile := "%{ldap:ldap:///<base dn>?DN?sub?prefferedNetwork=%{<your_preferred_network_attr>}}"
}
if (!control:User-Profile) {
reject # or whatever you want to do for this case
}
ldap
}
But even that's kinda slow. You might want to take a look at using the caching module with %{<your_preferred_network_attr>} as the key.
Then at least you avoid the lookup for the profile DN every time.
If the ldap_xlat DN thing doesn't work (I think you can retrieve the DN using the attribute list, but not 100%) I can add a hack to 3.0 for it. But you'll need to upgrade.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Users
mailing list