ldap profile (no full dn in profile attribute)
Alan DeKok
aland at deployingradius.com
Mon Jul 4 16:42:35 CEST 2016
On Jul 4, 2016, at 9:26 AM, Adamczak Krzysztof <kradamcz at gmail.com> wrote:
>
> Thanks for your help. Actually I can do ldapsearch that return that
> profile. I cannot modify ldap structure. It seems that I need to set
> eg. profile default dynamically. Can I put profile name taken from
> ldap user account and set it in profile/default ldap module property?
Yes.
> Something like this:
>
> profile {
> default = "uid=%{profile_attribute_value_from_ldap_user_account},ou=profiles,dc=example,dc=com"
> }
You'll need to get that attribute somehow. Typically via an LDAP query.
update control {
My-LDAP-Profile := "%{ldap:...}"
}
Be sure to list that *before* the call to the "ldap" module.
And also define My-LDAP-Profile as "string" in raddb/dictionary
The just use %{My-LDAP-Profie} in the ldap configuration.
The only danger is that if the returned profile has "magic" characters, the LDAP module may escape them. In that case, it will be a bit more work to figure out a solution.
The larger answer is that your use-case is pretty unusual.
Alan DeKok.
More information about the Freeradius-Users
mailing list