Le 2013-04-19 13:49, Jason 'XenoPhage' Frisvold a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/19/2013 11:41 AM, Fabrice DURAND wrote:
>> Hello Jason,
>>
>> in packetfence-tunnel file (for 802.1x) in the section authorize,
>> use: update request { Tmp-String-0 := ¨EMPLOYEE¨ }
> How would I handle multiple different groups? We have EMPLOYEE, LAB,
> ADMIN, etc... Will something like this work?
>
> switch Ldap-group {
> case "cn=employee,ou=groups,o=myorg" {
> update request {
> Tmp-String-0 := ¨EMPLOYEE¨
> }
> }
> case "cn=lab,ou=groups,o=myorg" {
> update request {
> Tmp-String-0 := ¨LAB¨
> }
> }
> etc...
> }
There is a better way to do that:
Tmp-String-0 :=
"%{ldap:ldap:///dc=domain,dc=com?Description?sub?uid=%{User-Name}}";
Will return the Description attribute assigned to the username.
>> Then in the request forwarded to packetfence in the file
>> /usr/local/pf/lib/pf/radius/custom.pm write your own authorize and
>> _parseRequest function (copy it from radius.pm) and you should see
>> _parseRequest($radius_request) this function must return a new
>> attribute based of the radius attribute Tmp-String-0.
> So essentially I should check $radius_request->{'Tmp-String-0'}, match
> on the appropriate value, and then return a new attribute, $vlanname
> maybe? Just tack that on to the end of the existing return?
In fact create some category in packetfence and in radius/custom.pm add
something like that:
if ( defined($Tmp-String-0) && ($Tmp-String-0 eq 'EMPLOYEE')) {
node_modify($mac, ('category' => 'employee'));
}
Then after in the vlan/custom.pm uncomment the getnormalvlam function
and add something like this:
if (defined($node_info->{'category'}) &&
lc($node_info->{'category'}) eq "employee") {
return $switch->getVlanByName('customVlan3');
}
>> So with this new attribute you should be able to set a category for
>> the node and then associate a category to a vlan id (vlan/custom.pm
>> getNormalVlan)
> And then the return from the previous will map here to the vlan I
> need.. Specifically, I'm looking to use the "name" of the vlan in
> packetfence, so normalVlan, customVlan1, etc. ?
>
>> Regards Fabrice
> - --
> - ---------------------------
> Jason 'XenoPhage' Frisvold
> [email protected]
> - ---------------------------
>
> "Any sufficiently advanced magic is indistinguishable from technology.\"
> - - Niven's Inverse of Clarke's Third Law
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlFxg7MACgkQO80o6DJ8UvnnlgCffq4H5D2twd9Y6t1XYEELQffL
> FvoAoIAVqaPmkLHQL6c2LHUunpGHhmBg
> =N7nA
> -----END PGP SIGNATURE-----
Regards
Fabrice
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
