rlm_ldap - inherit user { access_attribute } from profile entry

Alan DeKok aland at deployingradius.com
Sat Apr 16 15:46:34 UTC 2022

On Apr 14, 2022, at 10:26 PM, Peter Payne <freeradius20220411 at abitry.com.au> wrote:
> In the rlm_ldap module configuration file "ldap" there is a configuration parameter in the "user { }" section named "access_attribute". I have that set to "dialupAccess".
> I also have the configuration parameter in the "profile { }" section named "attribute" set to "radiusProfileDn".
> My users, in LDAP, all have "radiusProfileDn" set to point to a profile, e.g.:
>  radiusProfileDn: cn=adsl,ou=radius profiles,o=myorg
> And I'd like to put the "dialupAccess" attribute in the profile rather than the user entry, e.g.:
>  dialupAccess: 1
> As far as I can tell there's no attribute value inheritance in LDAP? Short of modifying the source code of rlm_ldap.c and/or the function rlm_ldap_check_access() to explicitly search the profile LDAP entry for the access attribute are there any other strategies I might consider in order to move the access attribute out of the individual user LDAP entries?

  You'll probably have to either modify the source, or just write an LDAP query:

	if (%{ldap:... query for access attribute}" == "") {

  Alan DeKok.

More information about the Freeradius-Users mailing list