Re: Dynamic VLAN attribute in LDAP or AD?
Agreed. I didn't know if I could do some group checking with ntlm_auth, more accurately get a list of groups a user belongs to? If I used FQDN I could prolly parse out the info I need from the user name as well: gary.neteng.waddell.... Ill try LDAP - good learning experience! ----- Original Message ----- From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org <freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org> To: freeradius-users@lists.freeradius.org <freeradius-users@lists.freeradius.org> Sent: Mon Aug 24 15:48:40 2009 Subject: RE: Dynamic VLAN attribute in LDAP or AD?
Interesting... I'm assuming I could use existing LDAP attribs and remap them as needed? Ie: "Fax Number" could be mapped to Tunnel ID? Extending the schema is like getting teeth pulled.
Resist the temptation and extend the schema now instead of later. When you need the Fax Number, what will you do? If you don't want to tackle LDAP, you could write a script to generate a separate file of unlang if-then blocks and pull it into the FR conf file with an $INCLUDE statement.
Also, no way to do this with NTLM auth is there?
No. NTLM_auth is an authentication tool that returns 0 or 1 depending on the correctness of a password. This is an authorization question - what kind of access will the authenticated user be given?
-----Original Message----- From: Jason Alderfer [mailto:jha2@emu.edu] Sent: Monday, August 24, 2009 2:10 PM To: Gary Gatten Subject: RE: Dynamic VLAN attribute in LDAP or AD?
So, by looking at this more carefully I'll have to do a bunch of if/else's or cases? What if for instance I have 500 departments/groups - 500 different vlans? I'll have to test each one?
I guess what I was hoping to do was something like:
Get attribute "n" for user y (where n = a value used for Tunnel-Private-Group-Id"
You will need to extend your LDAP schema to include the attributes needed for the VLAN and make sure they are properties of the objects that you want them to apply to.
Then you will need to add these attributes to the FR ldap.attrmap file, e.g.
replyItem Tunnel-Type radiusTunnelType replyItem Tunnel-Medium-Type radiusTunnelMediumType replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId
Now the LDAP module should be able to set these attributes automatically for each request if you enable it in the authorize or post-auth section.
Jason
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
Agreed. I didn't know if I could do some group checking with ntlm_auth, more accurately get a list of groups a user belongs to? If I used FQDN I could prolly parse out the info I need from the user name as well: gary.neteng.waddell.... Ill try LDAP - good learning experience!
No need. AD is sort of a Ldap server. You can define it in ldap module and it will respond to queries. You just need to adjust attribute names in ldap.attrmap to AD schema names (since MS broke specification). Ivan Kalik Kalik Informatika ISP
participants (2)
-
Gary Gatten -
Ivan Kalik