assigning vlan based on LDAP attribute

Thibault Le Meur Thibault.LeMeur at supelec.fr
Wed Sep 27 19:03:17 CEST 2006


> 
> My ldap section from radiusd.conf looks like:
> ldap {
>                 server = "ldapserver.net.org"
>                 identity = "uid=name,dc=net,dc=org"
>                 password = password
>                 basedn = "ou=stuffdc=net,dc=org"
>                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
>                 start_tls = no
>                 dictionary_mapping = ${raddbdir}/ldap.attrmap
>                 ldap_connections_number = 5
>                 password_attribute = userPassword
>                 groupmembership_attribute = 
> eduPersonPrimaryAffiliation
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
>         }
It seems ok to me...

> 
> My users file contains the following at the end:
> DEFAULT Huntgroup-Name == myAP, Ldap-Group == staff
>        User-Name=`%{User-Name}`,
>        Tunnel-Medium-Type=IEEE-802,
>        Tunnel-Private-Group-Id=2,
>        Tunnel-Type=VLAN,
>        Fall-Through = no
> 
> My huntgroups file has:
> myAP            NAS-IP-Address == x.x.x.141
> 
> In my Debug I noticed that although I have them commented out 
> of radiusd.conf, I still see:
> Debug:  ldap: groupname_attribute = "cn"
> Debug:  ldap: groupmembership_filter = 
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obje
> ctClass=GroupO
> fUniqueNames)(uniquemember=%{Ldap-UserDn})))"


Strange...


> You asked:
> * is your AP accepting Tunnel-Private-Group-Id=2 (I've got AP 
> which uses other format). How do I check that?

Check in your AP documentation ?

But this format is the most commonly used, so I don't think this is the
issue.

Can you send a more complete debug.

Thibault





More information about the Freeradius-Users mailing list