fr group howto

Hegedus Gabor hegedus.gabor at euroway.hu
Wed Dec 10 11:15:50 CET 2008 

Hegedus Gabor wrote:
> Hi all!
>
> I have 802.1x authentication, which works.
> I want use dynamic vlan assignment:
> The radius authenticate the user (use ntlm_auth)
> and after this, it use ldap to get user indormation form database 
> (username=samaccount name).
> ldap.attrmap changes the attributes and send to the switch, it is okay.
>
> It is not so confortable, I wanna try something else:
>
> 1. I create groups: vlan21, vlan333, and so on. expand the vlan schema 
> with 3 attrib (you know  VLAN, IEEE-802, and VLANID). I put users and 
> computers to the groups.
> How can I get users vlan info,  I can't  create  ldap query, cos :
> - i have samaccount name what is not the cn, and the "member", "member 
> of" attribs  are contains cn.
> i don't know how can i do a good query, the good attrib is in vlanXY 
> group.
> - get vlan? ok but i have just samaccount name, no cn
> - get user? ok  but  the good  attribs  is in the vlan group
>
> how?
>
> 2. I don't expand the vlanXY schema, I get user info(by samaccname) 
> contains "member of" attr, and in the freeradius user file I create 
> group. If group in the users file equals "member of" attrib send back 
> the vlan info to the switch:
> (i know it is not good yet)
> DEFAULT Ldap-Group == "cn=vlan10,ou=vlans,dc=test,dc=hu"
>                Tunnel-Type = VLAN,
>                Tunnel-Medium-Type = IEEE-802,
>                Tunnel-Private-Group-Id = 10,
>                Reply-Message = "You are in vlan 10"
>
> ldap modul:
> groupname_attribute = cn
> groupmembership_filter = 
> "(&(memberof=cn=vlan10,ou=vlans,dc=test,dc=hu)(samaccountname=%{mschap:user-name}))" 
>
> ## i know it is bad, but what is the good
>
> do you understand what i want?
>
> I test both prospect, pls help
>
> Thx Gabor
>
>
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
any idea?
(login name = samaccountname = hege)

how can i make query for this:
search for vlan(one group) which member's samaccountname equals "hege"

dn: CN=vlan10,OU=vlans,DC=test,DC=hu
objectClass: top
objectClass: group
cn: vlan10
member: CN=hegedus gab,CN=Users,DC=test,DC=hu
distinguishedName: CN=vlan10,OU=vlans,DC=test,DC=hu
instanceType: 4
whenCreated: 20081202130318.0Z
whenChanged: 20081202130354.0Z
uSNCreated: 16494
uSNChanged: 16499
name: vlan10
objectGUID:: wdVRLxlU+Eqobg1FpLtVvA==
objectSid:: AQUAAAAAAAUVAAAA/iEMgYVoYPNcURmzXwQAAA==
sAMAccountName: vlan10
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=test,DC=hu


dn: CN=hegedus gab,CN=Users,DC=test,DC=hu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: hegedus gab
sn: gab
l: VLAN
postOfficeBox: IEEE-802
givenName: hegedus
distinguishedName: CN=hegedus gab,CN=Users,DC=test,DC=hu
instanceType: 4
whenCreated: 20081128084825.0Z
whenChanged: 20081202124457.0Z
displayName: hegedus gab
uSNCreated: 14074
memberOf: CN=vlan10,OU=vlans,DC=test,DC=hu
uSNChanged: 16484
streetAddress: 9
name: hegedus gab
objectGUID:: SZnqGh1Bp0i0liC1PU+vkQ==
userAccountControl: 66048
badPwdCount: 3
codePage: 0
countryCode: 0
badPasswordTime: 128732900775156250
lastLogoff: 0
lastLogon: 0
pwdLastSet: 128726954971562500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA/iEMgYVoYPNcURmzXQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: hege
sAMAccountType: 805306368
userPrincipalName: hege at test.hu
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=hu


pls help.

More information about the Freeradius-Users mailing list