[LDAP] User-Profile assigned only if set in user attr radiusProfileDn
Alan DeKok
aland at deployingradius.com
Sun Aug 16 18:43:49 CEST 2015
On Aug 16, 2015, at 5:44 PM, Zeus Panchenko <zeus at ibs.dn.ua> wrote:
> so, am I wrong to expect User-Profile assignment in case the user is the
> member of Ldap_Group, when `users' file contains that DEFAULT
> definition?
>
> DEFAULT Ldap-Group == ..., User-Profile := ...
Yes, that should work. But what you are missing is that assigning User-Profile in the "users" file assigns it to the *request* list. Not the *control* list.
> or, is it the only way to get User-Profile assigned according the Ldap-Group membership, to:
>
> post-auth {
> if (LDAP-Group == "LDAP Group One") {
> User-Profile := "cn=userprofile1,ou=profiles,ou=RADIUS,dc=xyz"
And that isn't a valid statement. You need an "update" statement.
> then how is it correct to assign the profile?
You assigned it like any other attribute. Starting off by reading the documentation, and using the correct syntax.
> FreeRADIUS Beginner's Guide by Dirk van der Walt, Published by Packt Publishing Ltd in 2011
> p.113 heading "Ldap-Group and User-Profile AVP"
Well... we didn't write that.
> ---[ quotation start ]-------------------------------------------
> ...
> Ldap-Group and User-Profile are usually paired together. First an LDAP search is
> done to check if a user is part of an Ldap-Group. If true, the specified User-Profile is
> assigned. If not true, the specified User-Profile is not assigned.
That's done when the "ldap" module is run in the "authorize" stage. It is NOT done when you manually tell the server to do an LDAP-Group check.
Alan DeKok.
More information about the Freeradius-Users
mailing list