well , i define a ldap-group check policy # devicemanager_check { if (Ldap-Group == "DeviceManager") { update reply { &User-Profile := "cn=DeviceManager,ou=Admin,ou=Group,dc=gd,dc=quantum-info,dc=com" } } elsif (Ldap-Group == "Device_Write") { update reply { &Reply-Message += "Welcome,Device Operator" } } elsif (Ldap-Group == "Device_Reivew") { update reply { &Reply-Message += "Welcome Device Reviewer" } } else { update reply { &Reply-Message += "you are not authorized to access , please confirm that you have the permission..." } reject } } i am not sure that user override the User-Profile or not. On 03/17/2016 10:56 AM, MichaelLeung wrote:
hi list
my freeradius version is 3.0.4
i have enabled ldap modules and the radius profile feature of it .
and i need to check the user is in the speacific Ldap-Group, and assign the User-Profile which contain all radius Reply-Items in it . so when my NAS try to authenticate , i can only see radius -X responding : (0) Sending Access-Accept packet to host 10.1.1.13 port 1812, id=96, length=0 (0) User-Profile := 'cn=Device_Superior,ou=Admin,ou=Group,dc=gd,dc=abc,dc=com' it was not going to print out what reply item the User-Profile contained. and actually, i define the reply item as Huawei-Exec-Privilege := "15" it will give the highest admin right to the user belong to Group Device_Superior to Operate the Device .
how can i debug the User-Profile?