VLan affect based on ldap attribute freeradius v3
Matthew Newton
mcn at freeradius.org
Thu Aug 30 19:32:42 CEST 2018
On Thu, 2018-08-30 at 19:06 +0200, jehan procaccia INT wrote:
> 2) running radiusd -X I do see the ldap query and attribute returned
> correclty
>
> rlm_ldap (prod): Reserved connection (3)
> (41) prod: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (41) prod: --> (uid=teststud)
>
> ...
>
> (41) prod: Processing user attributes
> (41) prod: control:Password-With-Header += '{CRYPT}secretaoSOObH1'
> (41) prod: control:NT-Password += secret3735323731
> (41) prod: reply:Reply-Message := 'faculty'
> (41) prod: reply:*User-Category += 'faculty'*
> rlm_ldap (prod): Released connection (3)
> (41) [prod] = updated
OK
> * if (*( reply:UserCategory == "employee") ||
> (reply:*UserCategory == "faculty"*) || (reply:UserCategory == "staff"
> )
> > > (reply:UserCategory == "researcher") || (reply:UserCategory ==
>
> "member")) {
> update reply {
> Tunnel-Private-Group-Id :=*903*
> }
Use &reply:User-Category, etc
> is there a way to print the value of the an attribute to check it's
> *name* and*value* ?
debug_reply
If it's not there... is this the same RADIUS packet? e.g. you set
User-Category in one packet, and then checking it again in the next packet. If so, use the session-state: list instead of reply:.
> I am confused by the attribute name itself, you might have noticed in
> my
> vlanaffect.conf I use UserCategory but in ldap module it is named
> User*-*Category (note the - between User and Category) ! It is so
> because if in vlanaffect.conf I name it occordingly to ldap module
> (User*-*Category) strangely I get Errors in runing radiusd -X :
If you use different names for the attribute then it's not going to
work...
Try with the & before the attribute name.
--
Matthew
More information about the Freeradius-Users
mailing list