[LDAP] User-Profile assigned only if set in user attr radiusProfileDn

Zeus Panchenko zeus at ibs.dn.ua
Sat Aug 15 10:34:23 CEST 2015


greetings,

FR 3.0.x git 180e0b27022237a5f75c3c25d7eb1dbded634bad

am I correct to expect User-Profile assigned if user belongs to Ldap-Group?

here is how I supposed to get it working:

---[ file `users' quotation start ]-------------------------------------------
...
DEFAULT Ldap-Group == "wifi-ABC", Called-Station-SSID == "ABC", Login-Time := 'Al0700-2200', User-Profile := "cn=wifi-ABC,ou=profiles,ou=RADIUS,dc=xyz"
       Reply-Message := "User-Profile is %{control:User-Profile}",
       Fall-Through = no
...
---[ file `users' quotation end   ]-------------------------------------------



here is what I have in debug:

---[ debug quotation start ]-------------------------------------------
...
(6) files: Searching for user in group "wifi-ABC"
...
(6) files: User found in group object "ou=groups,ou=RADIUS,dc=xyz"
rlm_ldap (ldap): Released connection (9)
(6) files: users: Matched entry DEFAULT at line 95
(6) files: EXPAND User-Profile is %{control:User-Profile}
(6) files:    --> User-Profile is 
(6)       [files] = ok
rlm_ldap (ldap): Reserved connection (10)
...
(6) ldap: User object found at DN "uid=rad-jdoe,authorizedService=802.1x-eap-tls at xyz,uid=jdoe,ou=People,dc=xyz"
(6) ldap: Waiting for search result...
(6) ldap: Processing user attributes
(6) ldap: control:Cleartext-Password := '********'
(6) ldap: control:Password-With-Header += '********'
r_ldap (ldap): Released connection (326)
(6)     [ldap] = updated
...
---[ debug quotation end   ]-------------------------------------------

no evidence, profile attributes were searched/processed ...

my user is found to be a part of Ldap-Group, how to know why
User-Profile is not assigned?

in documentation it is written: if user is a part of Ldap-Group, the
User-Profile will be assigned to the user.

the only way, I found, to get User-Profile assigned to user is to set
attribute radiusProfileDn value in user object directly ... but this
causes one-user-one-profile result, what is not the resul I hoped for

where are am I mistaking?

-- 
Zeus V. Panchenko				jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150815/11469248/attachment.sig>


More information about the Freeradius-Users mailing list