Dynamic Vlan Allocation based on LDAP Attribute Value

Paul Dealy pdealy at gmail.com
Tue Feb 17 01:27:29 CET 2009


On Tue, Feb 17, 2009 at 11:04 AM,  <tnt at kalik.net> wrote:
>>>>Am I correct in saying that the LDAP-attribute that is mapped to
>>>>Tunnel-Private-Group-ID would need to be set to the value of the the
>>>>VLAN I require?  The  LDAP-attribute that I wish to use curently
>>>>contains values like "ITISCP" and "ENISCP".  I want to say if
>>>>attribute value  == ITISCP set vlan to 226 (ie Tunnel-Private-Group-ID
>>>>= 226).  Using ldap.attrmap mappings I would need to store the
>>>>required vlan in a LDAP attribute.  (I can't change the LDAP only read
>>>>it).
>>>>
>>>
>>> No. You can define your own attribute (let's say VLAN-Flag) in
>>> raddb/dictionary and use unlang in authorize section to test and set
>>> tunnel attributes.
>>
>>Thanks Ivan,
>>
>>I've configured a dictionary value "userORGUNIT" and added a
>>ldap.attrmap mapping.   I've tried to perform a comparison operation
>>on the value of userORGUNIT in the config file: users.
>>
>>i.e DEFAULT userORGUNIT == "HR"
>>     Tunnel-Private-Group-Id = "226"
>>
>>But this does not match, even though debug shows "rlm_ldap: Adding
>>userORGUNIT as userORGUNIT, value HR & op=21"
>>
>>Is this the correct location for these comparison operations?  There
>>are around 50 userORGUNIT''s that I need to compare against.
>>
>
> Files are normally listed before ldap in authorize. Use unlang switch
> command *after* ldap entry. Or list files after ldap if you are using an
> old version.
Ivan,

I'm using version 1.1.3 so, I moved the "files" entry below the ldap
entry but my DEFAULT entry in the file: users does not match or return
any value.

>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list