rlm_ldap - inherit user { access_attribute } from profile entry
Alan DeKok
aland at deployingradius.com
Sat Apr 16 15:46:34 UTC 2022
On Apr 14, 2022, at 10:26 PM, Peter Payne <freeradius20220411 at abitry.com.au> wrote:
>
> In the rlm_ldap module configuration file "ldap" there is a configuration parameter in the "user { }" section named "access_attribute". I have that set to "dialupAccess".
>
> I also have the configuration parameter in the "profile { }" section named "attribute" set to "radiusProfileDn".
>
> My users, in LDAP, all have "radiusProfileDn" set to point to a profile, e.g.:
> radiusProfileDn: cn=adsl,ou=radius profiles,o=myorg
>
> And I'd like to put the "dialupAccess" attribute in the profile rather than the user entry, e.g.:
> dialupAccess: 1
>
> As far as I can tell there's no attribute value inheritance in LDAP? Short of modifying the source code of rlm_ldap.c and/or the function rlm_ldap_check_access() to explicitly search the profile LDAP entry for the access attribute are there any other strategies I might consider in order to move the access attribute out of the individual user LDAP entries?
You'll probably have to either modify the source, or just write an LDAP query:
if (%{ldap:... query for access attribute}" == "") {
reject
}
Alan DeKok.
More information about the Freeradius-Users
mailing list