LDAP authorization without group attribute

[Alan DeKok]

Walter Reynolds wrote:
> I am running Freeradius 2.2.4 and am not quite sure where to go with
> this.  I have read the documentation, but my need does not quite match.

  The documentation describes common setups, and generally how to solve
problems.  It doesn't describe unusual setups.  Yours seems unusual.

> We have the standard EAP-PEAP setup where users are authenticated
> against AD via ntlm-auth.  What I need to do is add an authorization
> check to determine if a users should get a specific VLAN attribute sent
> back or be placed in a default VLAN (This is so we can only allow access
> to library resources to those that should be allowed).

  That's easy.  Write an LDAP query which returns whether or not the
user should get that VLAN, and then use it to set the VLAN:

	if ("%{ldap:query....}") {
		update reply [
			... vlan info...
		}
	}

  The hard part is writing the LDAP query.

> Now, if I had a LDAP group that contained these I could use a simple
> group setup listed in the http://wiki.freeradius.org/modules/Rlm_ldap
> page.  My problem is, the attribute that contains the data about the
> affiliation is a multi valued attribute

  Which is unusual, and isn't generally recommended.  Because it's
awkward and hard to deal with.

> Another path of thought was to specify a filter in the LDAP module
> config to something like this.
> 
>             filter =
>     "(&(uid=%{Stripped-User-Name:-%{User-Name}})(|(umichinstroles=*AffiliateAA)(umichinstroles=*FacultyAA)(umichinstroles=*StudentAA)(umichinstroles=*StaffAA)))"
> 
> So that works as far as only responding if a user matches one of those,

  Which is good.

> but then how would I apply a VLAN for them and leave everyone else in a
> default VLAN?

  See the debug output.  The LDAP module will return "ok" when a result
is found, or "notfound" when a result isn't found.  You can then do:

	ldap
	if (ok) {
		... vlan for matching people
	}
	else {
		... default vlan
	}

  Alan DeKok.