populate a reply with ldap generic attributes
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Mon Nov 10 15:20:31 CET 2014
> On 10 Nov 2014, at 08:53, Nicolas Edel <nicolas.edel at gmail.com> wrote:
>
> On Mon, Nov 10, 2014 at 2:26 PM, Alan DeKok <aland at deployingradius.com> wrote:
>> Nicolas Edel wrote:
>>> Now I'd like to retrieve the attributes (in post-auth or other, no
>>> matter) from within the directory itself instead of hard-coding them
>>> in the radius configuration. This is not a show stopper but it would
>>> really help.
>>
>> I don't think you can use an LDAP attribute to determine which *other*
>> LDAP attribute to get RADIUS attributes from. That's very involved.
>>
>> Perhaps you could explain what you're trying to do. Talking about
>> problems is more useful than asking why a solution doesn't work. There
>> may be other solutions to the problem which you haven't seen.
>
> I have dozens of network machines (routers, switches, fw, etc.) that
> use radius auth.
> All users info on this network are stored into an LDAP directory. Each
> one may have access to some machines with differents rights (denied,
> readonly, etc). For each machine I must be able to define a custom
> profile (ie with custom radius attributes) for any user, but they
> usually have a predefined profile set.
>
> The reasons of making each predefined profiles as a plain ldap leaf are:
> - it avoid data duplication
> - the propagation of any change in one of a predefined profile becomes automatic
>
> Hope my explanations are clear enough ...
Yes, use the 'profiles' functionality which does exactly what you just specified.
You add an attribute with the dn of a profile object to the user object
https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-available/ldap#L211
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list