VLan affect based on ldap attribute freeradius v3

Matthew Newton mcn at freeradius.org
Thu Aug 30 19:32:42 CEST 2018


On Thu, 2018-08-30 at 19:06 +0200, jehan procaccia INT wrote:
> 2) running radiusd -X I do see the ldap query and attribute returned
> correclty
> 
> rlm_ldap (prod): Reserved connection (3)
> (41) prod: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (41) prod:    --> (uid=teststud)
> 
> ...
> 
> (41) prod: Processing user attributes
> (41) prod: control:Password-With-Header += '{CRYPT}secretaoSOObH1'
> (41) prod: control:NT-Password += secret3735323731
> (41) prod: reply:Reply-Message := 'faculty'
> (41) prod: reply:*User-Category += 'faculty'*
> rlm_ldap (prod): Released connection (3)
> (41)       [prod] = updated

OK

>       *  if (*( reply:UserCategory == "employee") ||
> (reply:*UserCategory == "faculty"*) || (reply:UserCategory == "staff"
> )
> > > (reply:UserCategory == "researcher") || (reply:UserCategory ==
> 
> "member")) {
>                 update reply {
>                         Tunnel-Private-Group-Id :=*903*
>                 }

Use &reply:User-Category, etc


> is there a way to print the value of the an attribute to check it's
> *name* and*value* ?

debug_reply

If it's not there... is this the same RADIUS packet? e.g. you set
User-Category in one packet, and then checking it again in the next packet. If so, use the session-state: list instead of reply:.

> I am confused by the attribute name itself, you might have noticed in
> my
> vlanaffect.conf I use UserCategory but in ldap module it is named
> User*-*Category (note the - between User and Category) ! It is so
> because if in vlanaffect.conf I name it occordingly to ldap module
> (User*-*Category) strangely I get Errors in runing radiusd -X :

If you use different names for the attribute then it's not going to
work...

Try with the & before the attribute name.

-- 
Matthew



More information about the Freeradius-Users mailing list