populate a reply with ldap generic attributes
Nicolas Edel
nicolas.edel at gmail.com
Mon Nov 10 15:23:27 CET 2014
On Mon, Nov 10, 2014 at 3:20 PM, Arran Cudbard-Bell
<a.cudbardb at freeradius.org> wrote:
>
>> On 10 Nov 2014, at 08:53, Nicolas Edel <nicolas.edel at gmail.com> wrote:
>>
>> On Mon, Nov 10, 2014 at 2:26 PM, Alan DeKok <aland at deployingradius.com> wrote:
>>> Nicolas Edel wrote:
>>>> Now I'd like to retrieve the attributes (in post-auth or other, no
>>>> matter) from within the directory itself instead of hard-coding them
>>>> in the radius configuration. This is not a show stopper but it would
>>>> really help.
>>>
>>> I don't think you can use an LDAP attribute to determine which *other*
>>> LDAP attribute to get RADIUS attributes from. That's very involved.
>>>
>>> Perhaps you could explain what you're trying to do. Talking about
>>> problems is more useful than asking why a solution doesn't work. There
>>> may be other solutions to the problem which you haven't seen.
>>
>> I have dozens of network machines (routers, switches, fw, etc.) that
>> use radius auth.
>> All users info on this network are stored into an LDAP directory. Each
>> one may have access to some machines with differents rights (denied,
>> readonly, etc). For each machine I must be able to define a custom
>> profile (ie with custom radius attributes) for any user, but they
>> usually have a predefined profile set.
>>
>> The reasons of making each predefined profiles as a plain ldap leaf are:
>> - it avoid data duplication
>> - the propagation of any change in one of a predefined profile becomes automatic
>>
>> Hope my explanations are clear enough ...
>
> Yes, use the 'profiles' functionality which does exactly what you just specified.
>
> You add an attribute with the dn of a profile object to the user object
>
> https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/ldap#L211
>
damned, how did I missed this ...
Many (many) thanks !
:Nicolas
More information about the Freeradius-Users
mailing list