LDAP Groups and Dynamic VLAN assignment

stich86 stich86 at gmail.com
Wed Jul 27 17:23:15 CEST 2011


hi guys,

i want to assing VLAN based on groups entry and users on LDAP server.
Actually my schema is divided in this way:

ou=groups
-- cn=admin-vlan (with radiusProfile and items to set VLAN ID)
-- cn=dev-vlan
ou=people
-- cn=testusers (that is a uniqueMember of admin-vlan)

the only configuration that works is:

ldap conf:


ldap server1 {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "x.x.x.x"
        identity = "cn=Administrator,dc=mydomain,dc=com"
        password = passs
        basedn = "dc=mydomain,dc=com"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        groupname_attribute = cn
        groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

}

users file:

DEFAULT Ldap-Group == admin-vlan
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 10

DEFAULT Ldap-Group == dev-vlan
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 9

DEFAULT LDAP-Group != "admin-vlan", Auth-Type := Reject
DEFAULT LDAP-Group != "dev-vlan", Auth-Type := Reject

there is a possibility to get "Tunnel-Private-Group-ID and others" from the
LDAP groups and not users file?

i've read many times docs/rlm_ldap but cant get out of this problem :(

Is it possible to do this configuration in conjunction with redundant ldap
configuration??

thanks!




--
View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Groups-and-Dynamic-VLAN-assignment-tp4639157p4639157.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list