rlm_ldap - inherit user { access_attribute } from profile entry

Peter Payne freeradius20220411 at abitry.com.au
Fri Apr 15 02:26:31 UTC 2022

In the rlm_ldap module configuration file "ldap" there is a configuration parameter in the "user { }" section named "access_attribute". I have that set to "dialupAccess".

I also have the configuration parameter in the "profile { }" section named "attribute" set to "radiusProfileDn".

My users, in LDAP, all have "radiusProfileDn" set to point to a profile, e.g.:
   radiusProfileDn: cn=adsl,ou=radius profiles,o=myorg

And I'd like to put the "dialupAccess" attribute in the profile rather than the user entry, e.g.:
   dialupAccess: 1

As far as I can tell there's no attribute value inheritance in LDAP? Short of modifying the source code of rlm_ldap.c and/or the function rlm_ldap_check_access() to explicitly search the profile LDAP entry for the access attribute are there any other strategies I might consider in order to move the access attribute out of the individual user LDAP entries?

Kind regards,
Peter Payne
Melbourne, Australia

More information about the Freeradius-Users mailing list