Help request: LDAP syntax authorization
Alan DeKok
aland at deployingradius.com
Mon Apr 3 20:17:50 CEST 2017
On Apr 3, 2017, at 2:06 PM, Aaron Dalla-Longa <aaron at shortgrass.ca> wrote:
>
> Thanks for the steering Alan. A couple more questions, because I was unable
> to find an LDAP man page, and the ldap wiki page for freeRADIUS doesn't
> explain some of these options under the ldap module:
The comments in the LDAP module should explain the configuration options.
> # profile_attribute = "radiusProfileDn"
> I assume this is what I set for a users 'username' coming in from the ldap
> schema? I.E. "userbarcode", or is that variable a radius attribute and I
> need to map it?
No. It's for user profiles. i.e. you have a bunch of users, and you want them to all share a common profile.
> # password_attribute = userPassword
> same thing here. I assume I set this to the ldap schema, in my case would
> be "usurping".
That's where the users's "known good" password is located.
And both of those configuration items are for FreeRADIUS v2. They don't exist in the v3 version of the module.
> Of course I would uncomment them first.
>
> A question regarding mapping radius attributes. Is it required to use the
> list of radius attributes on the rfc page, or can I create my own variables
> such as this:
> replyItem User-Delinquency ldapschemadelinquency
>
> Thus I could do
>
> if (User-Delinquency == no) {
> accept
> }
> else {
> reject
> }
>
> in unlang.
Yes.
But you also need to define User-Delinquency in raddb/dictionary. Read that file for further instructions.
Alan DeKok.
More information about the Freeradius-Users
mailing list