populate a reply with ldap generic attributes
Nicolas Edel
nicolas.edel at gmail.com
Mon Nov 10 14:53:00 CET 2014
On Mon, Nov 10, 2014 at 2:26 PM, Alan DeKok <aland at deployingradius.com> wrote:
> Nicolas Edel wrote:
>> Now I'd like to retrieve the attributes (in post-auth or other, no
>> matter) from within the directory itself instead of hard-coding them
>> in the radius configuration. This is not a show stopper but it would
>> really help.
>
> I don't think you can use an LDAP attribute to determine which *other*
> LDAP attribute to get RADIUS attributes from. That's very involved.
>
> Perhaps you could explain what you're trying to do. Talking about
> problems is more useful than asking why a solution doesn't work. There
> may be other solutions to the problem which you haven't seen.
I have dozens of network machines (routers, switches, fw, etc.) that
use radius auth.
All users info on this network are stored into an LDAP directory. Each
one may have access to some machines with differents rights (denied,
readonly, etc). For each machine I must be able to define a custom
profile (ie with custom radius attributes) for any user, but they
usually have a predefined profile set.
The reasons of making each predefined profiles as a plain ldap leaf are:
- it avoid data duplication
- the propagation of any change in one of a predefined profile becomes automatic
Hope my explanations are clear enough ...
:Nicolas
More information about the Freeradius-Users
mailing list