problems with dynamic vlan assignment

[Phil Mayers]

> [ldap]  expand: dc=int-evry,dc=fr ->  dc=int-evry,dc=fr
>     [ldap] ldap_get_conn: Checking Id: 0
>     [ldap] ldap_get_conn: Got Id: 0
>     [ldap] attempting LDAP reconnection
>     [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0
>     [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to
> ldapdev.int-evry.fr:389
>     [ldap] waiting for bind result ...
>     [ldap] Bind was successful
>     [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
> [ldap] looking for check items in directory...
>     [ldap] sambaNtPassword ->  NT-Password ==
> 0x3846343134354531463530334232353337443430363846343942363633434143
>     [ldap] sambaLmPassword ->  LM-Password ==
> 0x4434413632394242394536303843323438423045413541374446313335423033
> [ldap] looking for reply items in directory...
>     [ldap] eduPersonPrimaryAffiliation ->  User-Category = "employee"

Two issues; first, as above you're adding the User-Category item from 
LDAP into the reply list, but the "files" syntax doesn't (can't) match 
items in the reply this. This:

DEFAULT User-Category == "employee"

means "match all request with the attribute User-Category == employee in 
the *request* items"

Secondly, I think you're running LDAP after "files", so even if it could 
match, it would not.

Try something like this in sites-available/inner-tunnel:

authorize {
   ...
   ldap
   if (reply:User-Category == employee) {
     update reply {
       Tunnel-Private-Group-Id := 1234
     }
   }
   elsif (reply:User-Category == ...) {
   }

}

Or, modify your ldap.attrmap to put the User-Category into the request 
items (assuming your NAS doesn't need it) then move the files module 
after the ldap one.