<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.3790.4237" name=GENERATOR></HEAD>
<BODY>
<DIV id=DSEPDIV><SPAN
style="FONT-SIZE: 12pt; COLOR: rgb(0,0,0); FONT-FAMILY: Arial,sans-serif; TEXT-ALIGN: left"><STRONG>UNCLASSIFIED</STRONG></SPAN><BR><BR></DIV>
<DIV dir=ltr align=left>Running version 2.0.5, with LDAP backend for
authentication/authorization.<BR><BR>Needed functionality: A single user account
needs a different ldap/radius profile depending on which huntgroup the request
is coming in on... the reason is that each user has a different
Framed-IP-Address for each VPN concentrator they are coming in on. So each
user needs a profile per NAS, I believe.<BR><BR>I have separated out each NAS
into its appropriate huntgroup, and am matching on that in the users file.
Also trying to dynamically set the User-Profile.<BR><BR>DEFAULT Huntgroup-Name
== jup-rtr-xauth, Ldap-Group ==
`cn=%{Huntgroup-Name},ou=Groups,ou=Radius,dc=geowireless,dc=net`, User-Profile
:=
`uid=%{User-Name},ou=jup-rtr-xauth,ou=Profiles,ou=Radius,dc=geowireless,dc=net`<BR>
Fall-Through = no<BR><BR>(entire users file at the end of this
message).<BR><BR>The user is authenticated successfully (so the group matching
and the %{Huntgroup-Name} expansion are working fine), but the User-Profile is
not being set. If I hard code in the value for uid, it works, so the
problem is in the variable.<BR><BR><SPAN class=350543804-13112007><FONT
face=Arial color=#0000ff size=2> </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2>I had a similar problem and ended up using a rewrite rule
to solve it. For 1.1.x here is the rule I used to derive a dn from a
huntgroup:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2> attr_rewrite uprof
{<BR>
attribute =
User-Profile<BR>
# may be "packet", "reply", "proxy", "proxy_reply" or
"config"<BR>
searchin =
config<BR>
searchfor =
""<BR>
replacewith =
"cn=%{Huntgroup-Name},ou=Profiles,dc=..."<BR>
ignore_case =
no<BR>
new_attribute =
yes<BR>
max_matches =
10<BR>
append = no<BR>
}<BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2>The call to uprof is in the authorize section. I placed it
after 'files' and before 'ldap'.</DIV></FONT></SPAN>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2>So setting the replacewith = "<FONT face="Times New Roman"
color=#000000
size=3>uid=%{User-Name},ou=%{Huntgroup-Name},ou=Profiles,ou=Radius,dc=geowireless,dc=net"
should do exactly what you want.</FONT></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2>However, using FR 2.x you can probably use unlang to do the
same thing in a much clearer manner.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2>regards,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=350543804-13112007><FONT face=Arial
color=#0000ff size=2>Frank Ranner</FONT></SPAN></DIV></BODY></HTML>