[LDAP] User-Profile assigned only if set in user attr radiusProfileDn

Zeus Panchenko zeus at ibs.dn.ua
Sun Aug 16 17:44:57 CEST 2015 

Alan DeKok <aland at deployingradius.com> wrote:
> > User-Profile is not assigned?
> 
>   Because it doesn't assign User-Profile when doing LDAP group checks.

so, am I wrong to expect User-Profile assignment in case the user is the
member of Ldap_Group, when `users' file contains that DEFAULT
definition?

DEFAULT Ldap-Group == ..., User-Profile := ...

or, is it the only way to get User-Profile assigned according the Ldap-Group membership, to:

post-auth {
        if (LDAP-Group == "LDAP Group One") {
                User-Profile := "cn=userprofile1,ou=profiles,ou=RADIUS,dc=xyz"
        }
}

then how is it correct to assign the profile? is syntax above correct?


> > in documentation it is written: if user is a part of Ldap-Group, the
> > User-Profile will be assigned to the user.
> 
>   What documentation says that?

FreeRADIUS Beginner's Guide by Dirk van der Walt, Published by Packt Publishing Ltd in 2011
p.113 heading "Ldap-Group and User-Profile AVP"

---[ quotation start ]-------------------------------------------
...
Ldap-Group and User-Profile are usually paired together. First an LDAP search is 
done to check if a user is part of an Ldap-Group. If true, the specified User-Profile is 
assigned. If not true, the specified User-Profile is not assigned.

Let's make use of it:
1. Edit the users file and add the following to the bottom:
...
DEFAULT Ldap-Group == teachers, User-Profile := "cn=teachers,ou
=profiles,ou=radius,dc=my-domain,dc=com"
    Fall-Through = no
...
Let's look at some important points:
...
 * If the user is part of the Ldap-Group, the User-Profile will be assigned to the 
user. A User-Profile specified as a DN causes the ldap module to search for the 
DN during authorization:
[ldap] performing search in cn=teachers,ou=profiles,ou=radius,d
c=my-domain,dc=com, with filter (objectclass=radiusprofile)
...
---[ quotation end   ]-------------------------------------------

-- 
Zeus V. Panchenko				jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150816/b14760fd/attachment.sig>

More information about the Freeradius-Users mailing list