[LDAP] User-Profile assigned only if set in user attr radiusProfileDn
Zeus Panchenko
zeus at ibs.dn.ua
Sun Aug 16 19:14:00 CEST 2015
Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
> > then how is it correct to assign the profile? is syntax above correct?
>
> That documentation wasn't updated for v3.0.x unfortunately.
thank you, Arran, for pointing that
> If you wanted to use it you'd
I do know what I want, I have no any idea *how* to achieve that with FR :(
I used users file only because I didn't find anything other ...
I need to assign User-Profile ABC to each user who belongs to Ldap-Group
ABC not the default profile for all users but only for ones who belongs
to the group
in the doc qoted in my previous post it is rather clear that it works
via file users ... because of that I used namely that way ...
> I'd try listing debug_control after calling the users file and seeing if the value for
> User-Profile appears there.
here it is:
---[ debug quotation start ]-------------------------------------------
...
(7) files: Searching for user in group "wifi-abc"
...
(7) files: User found in group object "ou=groups,ou=RADIUS,dc=xyz"
rlm_ldap (ldap): Released connection (1)
(7) files: users: Matched entry DEFAULT at line 78
(7) files: EXPAND %{User-Name}, SSID: %{Called-Station-SSID} access was permited and %{control:User-Profile} was assigned to you.
(7) files: --> rad-visitor, SSID: ABC access was permited and was assigned to you.
(7) [files] = ok
(7) policy debug_control {
(7) if ("%{debug_attr:control:}" == '') {
(7) Attributes matching "control:"
(7) &control:LDAP-UserDN = uid=rad-visitor,authorizedService=802.1x-eap-tls at xyz,uid=jdoe,ou=People,dc=xyz
(7) &control:User-Profile := cn=wifi-abc,ou=profiles,ou=RADIUS,dc=xyz
(7) EXPAND %{debug_attr:control:}
(7) -->
(7) if ("%{debug_attr:control:}" == '') -> TRUE
(7) if ("%{debug_attr:control:}" == '') {
(7) [noop] = noop
(7) } # if ("%{debug_attr:control:}" == '') = noop
(7) } # policy debug_control = noop
rlm_ldap (ldap): Reserved connection (2)
...
(7) ldap: Waiting for search result...
(7) ldap: User object found at DN "uid=rad-visitor,authorizedService=802.1x-eap-tls at xyz,uid=jdoe,ou=People,dc=xyz"
(7) ldap: Processing user attributes
(7) ldap: control:Cleartext-Password := 'rad-visitor'
(7) ldap: control:Password-With-Header += 'rad-visitor'
rlm_ldap (ldap): Released connection (2)
(7) [ldap] = updated
...
---[ debug quotation end ]-------------------------------------------
so, at least it is there ... but still not assigned
in file users I have this:
---[ file users quotation start ]-------------------------------------------
...
DEFAULT Ldap-Group == "wifi-abc", Called-Station-SSID == "ABC", User-Profile := "cn=wifi-abc,ou=profiles,ou=RADIUS,dc=xyz"
Fall-Through = no
...
---[ file users quotation end ]-------------------------------------------
--
Zeus V. Panchenko jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150816/85608412/attachment-0001.sig>
More information about the Freeradius-Users
mailing list