ldap profile (no full dn in profile attribute)

Adamczak Krzysztof kradamcz at gmail.com
Tue Jul 5 09:00:11 CEST 2016

Thanks Peter it worked :) Although I have to tweak config a little.

mods-enabled/ldap (without filter and &syntax wasn't evaluated so I
changed it to % (BBTW any idea why?)):
profile {
                default = %{control:User-Profile}

update control {
                User-Profile = "cn=null"

if ( request:User-Profile ) {
                update control {
                        User-Profile :=

The only downside is it takes four ldap queries (Alan solution takes
three) and the default profile assignment two (with full dn in profile
attribute). Right now I don't think it'll be a problem - we'll see
after some performance tests. I also like that I don't have to
construct separate query to ldap outside ldap module (per Alan
solution). It keeps configuration little clearer I think especially
when I add e.g. load balancing.

many thanks guys,

More information about the Freeradius-Users mailing list