ldap: multiple radius profiles
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Sep 2 15:23:47 CEST 2013
>
> I don’t know how to configure FreeRADIUS to read the “radiusGroupName” attribute and attach the configured return Items to the return list.
*configured reply items to the reply list.
>
> Using unlang I am able to do this:
> if(Ldap-Group == "cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com") {
> update reply {
> Alcatel-Access-Priv = Alcatel-Read-Priv
> Alcatel-Access-Priv += Alcatel-Write-Priv
> Alcatel-Access-Priv += Alcatel-Admin-Priv
> Alcatel-Acce-Priv-F-W1 := 0xffffffff
> Alcatel-Acce-Priv-F-W2 := 0xffffffff
> Alcatel-Asa-Access := All
> }
> }
> if(Ldap-Group == "cn=sosReadWrite,ou=groups,ou=radius, dc=example,dc=com ") {
> update reply {
> NS-Admin-Privilege := Root-Admin
> }
> }
>
> This is working fine but has the disadvantage that I have to configure the return items static into freeradius configuration files.
Yes.
> I want to manage these profiles also in ldap. Is this possible?
Well yes, that's the point of RADIUS profile in LDAP.
You need to set the "profile_attribute" configuration item to "radiusGroupName". IIRC you also need to use full DNs for the radiusGroupName values.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Users
mailing list