<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">I would like to use LDAP to be able to authorize a user so if there have a certain attribute I can return a radius AVP with a VLAN ID in the access-accept. This would be used for allowing access to licensed library resources. However, I am not sure if I can do this the way my LDAP stuff is set up.</span><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">The attribute that has the data I need is multi-valued.</div><div style="font-family:arial,sans-serif;font-size:13px"><ul><li style="margin-left:15px">StudentAA, StudentDBRN, and StudentFLNT (continuing and incoming students regardless of enrollment; includes detached study);</li>
<li style="margin-left:15px">EnrolledStudentAA, EnrolledStudentDBRN, EnrolledStudentFLNT (enrolled in at least one credit hour for ""current"" term; next term information is used during gap between terms)</li>
<li style="margin-left:15px">AlumniAA, AlumniDBRN, AlumniFLNT (any person who has completed at least one semester in a degree-granting program)</li><li style="margin-left:15px">FacultyAA, FacultyDBRN, FacultyFLNT (defined as academic, instructional, and research appointments; includes emeritus faculty)</li>
<li style="margin-left:15px">RegularStaffAA, RegularStaffDBRN, RegularStaffFLNT (current appointment with a status of active, suspended, short-work break, leave, or paid leave);</li><li style="margin-left:15px">TemporaryStaffAA, TemporaryStaffDBRN, TemporaryStaffFLNT (current appointment with a status of active, suspended, short-work break, leave, or paid leave)</li>
<li style="margin-left:15px">Retiree (retired from any U-Mcampus, regardless of other appoints that may still be active)</li><li style="margin-left:15px">SponsoredAffiliateAA, SponsoredAffiliateDBRN, SponsoredAffiliateFLNT (has at least one departmental sponsorship). </li>
</ul></div><div style="font-family:arial,sans-serif;font-size:13px"><div dir="ltr"><div><br></div><div><br></div><div>However, only 5 of them (StudentAA, EnrolledStudentAA, FacultyAA, RegularStaffAA and TemoraryStaffAA) should get the radius AVP and be allowed access. However, when I query I get something like the following</div>
<div><br></div><div><div>ldapsearch -h <a href="http://ldap.umich.edu/" target="_blank">ldap.umich.edu</a><div style="display:inline-block;width:16px;min-height:16px"></div> -ZZ -z0 -x -D <cut> -b ou=people,dc=umich,dc=edu -LLL -s sub uniqueid=<username> umichinstroles </div>
</div></div></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div style="font-family:arial,sans-serif;font-size:13px"><div><div><div>dn: uid=<username>,ou=People,dc=umich,dc=edu</div></div></div>
</div>
<div style="font-family:arial,sans-serif;font-size:13px"><div><div><div>umichinstroles: RegularStaffAA</div></div></div></div><div style="font-family:arial,sans-serif;font-size:13px"><div><div><div>umichinstroles: AlumniFLNT</div>
</div></div></div></blockquote><div style="font-family:arial,sans-serif;font-size:13px"><div dir="ltr"><div><div><br></div></div><div>So that is not really a group membership.</div><div><br></div><div>Is this something I will be able to do? If I can not do it natively can folks mention other options/solutions?</div>
<div>------------------------</div></div></div><div><div dir="ltr"><div><br></div><div>------------------------</div><div>Walter Reynolds<br></div>Principal Systems Security Development Engineer<br>Information and Technology Services<br>
University of Michigan<br><a href="tel:%28734%29%20615-9438" value="+17346159438" target="_blank">(734) 615-9438</a></div></div>
</div>