Help request: LDAP syntax authorization

Aaron Dalla-Longa aaron at shortgrass.ca
Mon Apr 3 20:06:32 CEST 2017 

Thanks for the steering Alan. A couple more questions, because I was unable
to find an LDAP man page, and the ldap wiki page for freeRADIUS doesn't
explain some of these options under the ldap module:

# profile_attribute = "radiusProfileDn"
I assume this is what I set for a users 'username' coming in from the ldap
schema? I.E. "userbarcode", or is that variable a radius attribute and I
need to map it?

# password_attribute = userPassword
same thing here. I assume I set this to the ldap schema, in my case would
be "userpin".

Of course I would uncomment them first.

A question regarding mapping radius attributes. Is it required to use the
list of radius attributes on the rfc page, or can I create my own variables
such as this:
replyItem User-Delinquency ldapschemadelinquency

Thus I could do

if (User-Delinquency == no) {
   accept
}
else {
  reject
}

in unlang.

On Fri, Mar 31, 2017 at 1:27 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 31, 2017, at 2:53 PM, Aaron Dalla-Longa <aaron at shortgrass.ca>
> wrote:
> >
> > Freeradius version 3
> >
> > Is it possible to deny a user based on an attribute that LDAP sends
> > through, and if so, what is the syntax for it?
>
>   You can map LDAP attributes to RADIUS ones.
>
>   See raddb/mods-available/ldap.  Look for "mapping".
>
> > Alternatively, if there is a
> > well-put together guide on Freeradius LDAP syntax, could you link it to
> me?
>
>   The wiki has lots of documentation.  Please go there and look.  It also
> has a searchable interface.  Just search for LDAP.
>
> > Something that I would be looking for would be something like the
> > pseudo-code below:
> >
> > if (user_attribute "delinquency" == "no") {
> >     accept
> >   {
> > else {
> >    reject
> > }
>
>   That's not LDAP, that's unlang policies.  And those are documented,
> too.  Lots of examples, and a "man unlang" page that describes the syntax.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html




-- 
*Aaron Dalla-Longa*
Systems Administrator
Shortgrass Library System
tf: 1.866.529.0550 | p: 403.529.0550

More information about the Freeradius-Users mailing list