pulling dn for User-Profile from ldap
Martin Kraus
lists_mk at wujiman.net
Mon Jul 8 12:24:31 CEST 2013
On Thu, Jul 04, 2013 at 07:05:09PM +0100, Arran Cudbard-Bell wrote:
> Don't try and use the users file for complex stuff like this.
>
> In your profile objects add an attribute for preferredNetwork.
>
> Use ldap xlat to search in the directory for an profile object with a preferredNetwork attribute which matches the stripped path of the username, specify DN as the attribute to retrieve.
>
> Something like:
>
> authorize {
> update control {
> User-Profile := "%{ldap:ldap:///<base dn>?DN?sub?prefferedNetwork=%{<your_preferred_network_attr>}}"
> }
>
> if (!control:User-Profile) {
> reject # or whatever you want to do for this case
> }
>
> ldap
> }
Hi.
Thanks for the pointers.
I actually needed to search for group membership as well as the group name:
User-Profile := "%{ldap-main:ldap:///ou=groups,dc=wuji,dc=cz?seeAlso?sub?(&(cn=%{Preferred-Network})(uniqueMember=%{control:Ldap-UserDn}))}"
This checks whether the current user is a member of the group he/she sent as
preferred and returns the pointer to the group radius profile.
I'm of course hitting a problem with eap where it complains that the eap
identity is different from the User-Name, because I'm changing User-Name
in hints file but I'll work around it somehow.
thanks again
Martin
More information about the Freeradius-Users
mailing list