ldap profile (no full dn in profile attribute)

Peter Lambrechtsen peter at crypt.nz
Tue Jul 5 01:11:29 CEST 2016


On Tue, Jul 5, 2016 at 2:54 AM, Adamczak Krzysztof <kradamcz at gmail.com>
wrote:

> Thanks Alan I appreciate your help. I'll give it a try. Probably
> tomorrow I'll check if it'll work :)
>

If you look at how the profile value is documented in 3.0.x

I have made it work by making two LDAP calls, one to first retrieve the
LDAP value, then to call it again to apply the profile. As the profile
needs to be a DN not a CN attribute.

In my ldap module I specify the request:User-Profile gets updated with the
value we want to use.

        update {
....
                request:User-Profile            := 'description'
        }
And the profile mapping the default value to the &control:User-Profile

        profile {
                filter = '(objectclass=groupOfNames)'
                default = &control:User-Profile
        }

So under the authorize section:

        update control {
                User-Profile = "cn=null"
        }
        ldap
        if ( request:User-Profile ) {
                update control {
                        User-Profile :=
"uid=%{request:User-Profile},ou=profiles,dc=example,dc=com"
                }
                ldap
        }

That way the first time you call the LDAP module the User-Profile doesn't
match to anything, then if you get a request:User-Profile added by the ldap
module you call it again with the updated control:User-Profile

Then in your trace you would see something like:

(0) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (cn=peter)
(0) ldap: Performing search in "o=identities" with filter "(cn=peter)",
scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "cn=Peter,o=Identities"
(0) ldap: Performing search in "cn=null" with filter
"(objectclass=groupOfNames)", scope "base"
0) ldap: Waiting for search result...
(0) ldap: The specified DN wasn't found
(0) ldap: Search returned no results
(0) ldap: Profile object "cn=null" not found
(0) ldap: Processing user attributes
(0) ldap: request:User-Profile := 'dns1'
rlm_ldap (ldap): Released connection (0)
rlm_ldap (ldap): Need 5 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (5), 1 of 27 pending slots
used
rlm_ldap (ldap): Connecting to ldap://localhost:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)     [ldap] = updated
(0)     if ( request:User-Profile ) {
(0)     if ( request:User-Profile )  -> TRUE
(0)     if ( request:User-Profile )  {
(0)       update control {
(0)         EXPAND cn=%{request:User-Profile},ou=Profiles,o=Identities
(0)            --> cn=dns1,ou=Profiles,o=Identities
(0)         User-Profile := cn=dns1,ou=Profiles,o=Identities
(0)       } # update control = noop
rlm_ldap (ldap): Reserved connection (1)
(0) ldap: EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (cn=peter)
(0) ldap: Performing search in "o=identities" with filter "(cn=peter)",
scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "cn=Peter,o=Identities"
(0) ldap: Performing search in "cn=dns1,ou=Profiles,o=Identities" with
filter "(objectclass=groupOfNames)", scope "base"
(0) ldap: Waiting for search result...
(0) ldap: Processing profile attributes
(0) ldap: reply:MSG1 := '5.43.4.2'
(0) ldap: Processing user attributes
(0) ldap: request:User-Profile := 'dns1'
(0) ldap: reply:Framed-IP-Address := 4.2.3.2
rlm_ldap (ldap): Released connection (1)

Works for me.


> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list