LDAP Groups and Dynamic VLAN assignment

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

LDAP Groups and Dynamic VLAN assignment

stich86
hi guys,

i want to assing VLAN based on groups entry and users on LDAP server. Actually my schema is divided in this way:

ou=groups
-- cn=admin-vlan (with radiusProfile and items to set VLAN ID)
-- cn=dev-vlan
ou=people
-- cn=testusers (that is a uniqueMember of admin-vlan)

the only configuration that works is:

ldap conf:


ldap server1 {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "x.x.x.x"
        identity = "cn=Administrator,dc=mydomain,dc=com"
        password = passs
        basedn = "dc=mydomain,dc=com"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        groupname_attribute = cn
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

}

users file:

DEFAULT Ldap-Group == admin-vlan
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 10

DEFAULT Ldap-Group == dev-vlan
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 9

DEFAULT LDAP-Group != "admin-vlan", Auth-Type := Reject
DEFAULT LDAP-Group != "dev-vlan", Auth-Type := Reject

there is a possibility to get "Tunnel-Private-Group-ID and others" from the LDAP groups and not users file?

i've read many times docs/rlm_ldap but cant get out of this problem :(

Is it possible to do this configuration in conjunction with redundant ldap configuration??

thanks!


| Threaded
Open this post in threaded view
|

Re: LDAP Groups and Dynamic VLAN assignment

Alexander Clouter
stich86 <[hidden email]> wrote:
>
> there is a possibility to get "Tunnel-Private-Group-ID and others" from the
> LDAP groups and not users file?
>
> i've read many times docs/rlm_ldap but cant get out of this problem :(
>
Next time, try the freeradius-users@ archive too (true of *any* mailing
list)?
 
> Is it possible to do this configuration in conjunction with redundant ldap
> configuration??
>
http://www.mail-archive.com/freeradius-users@.../msg71133.html

Cheers

--
Alexander Clouter
.sigmonster says: Is there life before breakfast?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html