Dynamic VLAN attribute in LDAP or AD?

Mon Aug 24 23:06:13 CEST 2009

Agreed. I didn't know if I could do some group checking with ntlm_auth, more accurately get a list of groups a user belongs to? If I used FQDN I could prolly parse out the info I need from the user name as well: gary.neteng.waddell.... Ill try LDAP - good learning experience!

----- Original Message -----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org <freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org>
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Sent: Mon Aug 24 15:48:40 2009
Subject: RE: Dynamic VLAN attribute in LDAP or AD?

> Interesting...  I'm assuming I could use existing LDAP attribs and remap
> them as needed?  Ie: "Fax Number" could be mapped to Tunnel ID?
> Extending the schema is like getting teeth pulled.

Resist the temptation and extend the schema now instead of later.  When
you need the Fax Number, what will you do?

If you don't want to tackle LDAP, you could write a script to generate a
separate file of unlang if-then blocks and pull it into the FR conf file
with an $INCLUDE statement.

> Also, no way to do this with NTLM auth is there?

No.  NTLM_auth is an authentication tool that returns 0 or 1 depending on
the correctness of a password.  This is an authorization question - what
kind of access will the authenticated user be given?

> -----Original Message-----
> From: Jason Alderfer [mailto:jha2 at emu.edu]
> Sent: Monday, August 24, 2009 2:10 PM
> To: Gary Gatten
> Subject: RE: Dynamic VLAN attribute in LDAP or AD?
>
>
>> So, by looking at this more carefully I'll have to do a bunch of
>> if/else's or cases?  What if for instance I have 500
> departments/groups
>> - 500 different vlans?  I'll have to test each one?
>>
>> I guess what I was hoping to do was something like:
>>
>> Get attribute "n" for user y (where n = a value used for
>> Tunnel-Private-Group-Id"
>
> You will need to extend your LDAP schema to include the attributes
> needed
> for the VLAN and make sure they are properties of the objects that you
> want them to apply to.
>
> Then you will need to add these attributes to the FR ldap.attrmap file,
> e.g.
>
> replyItem       Tunnel-Type                     radiusTunnelType
> replyItem       Tunnel-Medium-Type              radiusTunnelMediumType
> replyItem       Tunnel-Private-Group-Id
> radiusTunnelPrivateGroupId
>
> Now the LDAP module should be able to set these attributes automatically
> for each request if you enable it in the authorize or post-auth section.
>
> Jason

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090824/74b8ef9c/attachment.html>