I want to branch an ldap attribute

Yuya Yanagi peacefull64 at gmail.com
Wed Jul 17 08:44:28 CEST 2019 

Hi, Alan

I was sorry for asking vague questions.

There is a request to return the Vlan-id only when connecting to a specific
AP at the customer's request,
and we are struggling to solve the problem.

I'll show you the mods-available/ldap file.
I've included mapping file in the update section below, but I want to
include additional mapping file for specific AP.(Location of the arrow mark)
But if you include an if statement, you will get an error [Invalid location
for 'if'].
Is there a good way to make it happen?
-----------------
ldap ldap_vipusers {
        server = "ldaps://ldap.hoge.fuga.co.jp:636"
        identity = "uid=radius,ou=systems,dc=hoge,dc=fuga,dc=co,dc=jp"
        password = "password"
        user{
                base_dn = "ou=Users,dc=hoge,dc=fuga,dc=co,dc=jp"
                filter =
"(&(!(fugaPersoncocountStatus=03))(!(fugaPersoncocountStatus=04))(uid=%{%{Stripped-User-Name}:-%{User-Name}}))"
        }
        tls {
                start_tls = no
                ca_file = /etc/raddb/certs/ldap.hoge.fuga.co.jp.cer
        }
        update {
                $INCLUDE ${confdir}/mods-available/ldap.attrmap

              → ※【I want to include an attribute file only for specific AP
connections】
                if ("&Called-Station-id" =: "vipWifi") {
                           $INCLUDE
${confdir}/mods-available/ldap.vlan.attrmap
               }
        }
        options {
               res_timeout = 10
               srv_timelimit = 3
               net_timeout = 1
               idle = 60
               probes = 3
               interval = 3
        }
        pool {
                start = 5
                min = 3
                max = 32
                spare = 10
                uses = 0
                lifetime = 0
                cleanup_interval = 30
                idle_timeout = 60
                retry_delay = 30
                spread = no
       }
}

2019年7月17日(水) 1:37 Alan DeKok <aland at deployingradius.com>:

> On Jul 16, 2019, at 3:54 AM, Yuya Yanagi <peacefull64 at gmail.com> wrote:
> > When trying to build a dynamic VLAN, the contact point of ldap differs
> > depending on AP,
>
>   What does that mean?
>
> > Can I control which LDAP attribute to map per ldap query?
> >
> > And what should I offer to receive advice?
> >
> > Any help would be appreciated.
>
>   See mods-available/ldap
>
>   The module documents what it does, and how it works.  Please ask
> *specific* questions about that functionality.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list