pulling dn for User-Profile from ldap

Martin Kraus lists_mk at wujiman.net
Mon Jul 8 12:24:31 CEST 2013

On Thu, Jul 04, 2013 at 07:05:09PM +0100, Arran Cudbard-Bell wrote:
> Don't try and use the users file for complex stuff like this.
> In your profile objects add an attribute for preferredNetwork.
> Use ldap xlat to search in the directory for an profile object with a preferredNetwork attribute which matches the stripped path of the username, specify DN as the attribute to retrieve.
> Something like:
> authorize {
> 	update control {
> 		User-Profile := "%{ldap:ldap:///<base dn>?DN?sub?prefferedNetwork=%{<your_preferred_network_attr>}}"
> 	}
> 	if (!control:User-Profile) {
> 		reject # or whatever you want to do for this case
> 	}
> 	ldap
> }

Thanks for the pointers. 

I actually needed to search for group membership as well as the group name:

User-Profile := "%{ldap-main:ldap:///ou=groups,dc=wuji,dc=cz?seeAlso?sub?(&(cn=%{Preferred-Network})(uniqueMember=%{control:Ldap-UserDn}))}"

This checks whether the current user is a member of the group he/she sent as
preferred and returns the pointer to the group radius profile.

I'm of course hitting a problem with eap where it complains that the eap
identity is different from the User-Name, because I'm changing User-Name
in hints file but I'll work around it somehow.

thanks again

More information about the Freeradius-Users mailing list