ldap profile (no full dn in profile attribute)
Adamczak Krzysztof
kradamcz at gmail.com
Tue Jul 5 09:00:11 CEST 2016
Thanks Peter it worked :) Although I have to tweak config a little.
mods-enabled/ldap (without filter and &syntax wasn't evaluated so I
changed it to % (BBTW any idea why?)):
profile {
default = %{control:User-Profile}
}
sites-enabled/default:
update control {
User-Profile = "cn=null"
}
-ldap
if ( request:User-Profile ) {
update control {
User-Profile :=
"%{request:User-Profile},ou=profiles,dc=example,dc=com"
}
ldap
}
The only downside is it takes four ldap queries (Alan solution takes
three) and the default profile assignment two (with full dn in profile
attribute). Right now I don't think it'll be a problem - we'll see
after some performance tests. I also like that I don't have to
construct separate query to ldap outside ldap module (per Alan
solution). It keeps configuration little clearer I think especially
when I add e.g. load balancing.
many thanks guys,
Krzysztof
More information about the Freeradius-Users
mailing list