Dynamic VLAN attribute in LDAP or AD?
Jason Alderfer
jha2 at emu.edu
Mon Aug 24 22:48:40 CEST 2009
> Interesting... I'm assuming I could use existing LDAP attribs and remap
> them as needed? Ie: "Fax Number" could be mapped to Tunnel ID?
> Extending the schema is like getting teeth pulled.
Resist the temptation and extend the schema now instead of later. When
you need the Fax Number, what will you do?
If you don't want to tackle LDAP, you could write a script to generate a
separate file of unlang if-then blocks and pull it into the FR conf file
with an $INCLUDE statement.
> Also, no way to do this with NTLM auth is there?
No. NTLM_auth is an authentication tool that returns 0 or 1 depending on
the correctness of a password. This is an authorization question - what
kind of access will the authenticated user be given?
> -----Original Message-----
> From: Jason Alderfer [mailto:jha2 at emu.edu]
> Sent: Monday, August 24, 2009 2:10 PM
> To: Gary Gatten
> Subject: RE: Dynamic VLAN attribute in LDAP or AD?
>
>
>> So, by looking at this more carefully I'll have to do a bunch of
>> if/else's or cases? What if for instance I have 500
> departments/groups
>> - 500 different vlans? I'll have to test each one?
>>
>> I guess what I was hoping to do was something like:
>>
>> Get attribute "n" for user y (where n = a value used for
>> Tunnel-Private-Group-Id"
>
> You will need to extend your LDAP schema to include the attributes
> needed
> for the VLAN and make sure they are properties of the objects that you
> want them to apply to.
>
> Then you will need to add these attributes to the FR ldap.attrmap file,
> e.g.
>
> replyItem Tunnel-Type radiusTunnelType
> replyItem Tunnel-Medium-Type radiusTunnelMediumType
> replyItem Tunnel-Private-Group-Id
> radiusTunnelPrivateGroupId
>
> Now the LDAP module should be able to set these attributes automatically
> for each request if you enable it in the authorize or post-auth section.
>
> Jason
More information about the Freeradius-Users
mailing list