ldap profile (no full dn in profile attribute)

Alan DeKok aland at deployingradius.com
Mon Jul 4 16:42:35 CEST 2016

On Jul 4, 2016, at 9:26 AM, Adamczak Krzysztof <kradamcz at gmail.com> wrote:
> Thanks for your help. Actually I can do ldapsearch that return that
> profile. I cannot modify ldap structure. It seems that I need to set
> eg. profile default dynamically. Can I put profile name taken from
> ldap user account and set it in profile/default ldap module property?


> Something like this:
> profile {
> default = "uid=%{profile_attribute_value_from_ldap_user_account},ou=profiles,dc=example,dc=com"
> }

  You'll need to get that attribute somehow.  Typically via an LDAP query.

	update control {
		My-LDAP-Profile := "%{ldap:...}"

  Be sure to list that *before* the call to the "ldap" module.

  And also define My-LDAP-Profile as "string" in raddb/dictionary

  The just use %{My-LDAP-Profie} in the ldap configuration. 

  The only danger is that if the returned profile has "magic" characters, the LDAP module may escape them.  In that case, it will be a bit more work to figure out a solution.

  The larger answer is that your use-case is pretty unusual.

  Alan DeKok.

More information about the Freeradius-Users mailing list