[802.1X] FreeRADIUS OpenLDAP
Christian VAN DER ZWAARD
christian.van-der-zwaard at bedrockstreaming.com
Mon Feb 1 15:47:42 CET 2021
Hello everyone,
I'm using an LDAP directory to store my user accounts and groups. For each
group I created a radiusObjectProfile to store the required attributes to
assign a VLAN to the user.
A user can't be in more than 1 group. My profiles are stored in
*cn=group1,ou=profiles,ou=radius,dc=company,dc=com*, each profile's *common
name* matches the corresponding group name.
How can I configure my LDAP module to get the right profile depending on
the user's group?
I tried it this way:
*profile { filter = '(objectclass=radiusprofile)'
default = "cn=%{LDAP-Group},ou=profiles,ou=radius,${..base_dn}"*
*}*
But it does not work...
Here is Freeradius's output:
*(0) ldap: EXPAND cn=%{LDAP-Group},ou=profiles,ou=radius,*dc=company,dc=com
*(0) ldap: --> cn=,ou=profiles,ou=radius,dc=jdl-network,dc=local(0)
ldap: Performing search in "cn=,ou=profiles,ou=radius,*dc=company,dc=com
*" with filter "(objectclass=radiusprofile)", scope "base"(0) ldap: Waiting
for search result...(0) ldap: ERROR: Failed performing search: Invalid DN
syntax(0) ldap: ERROR: Server said: invalid DN.*
Obviously, using *%{LDAP-Group}* won't work if the variable has no value..
Do you have any idea how I can get the user's group?
Is there a way to extract the group name from the dn (
*uid=cvdz,cn=group1,ou=users,ou=radius,dc=company,dc=com*)?
Thank you very much for your help.
Kind regards
--
Christian VAN DER ZWAARD
More information about the Freeradius-Users
mailing list