The openLDAP schema need to be extended for some attributes those are not exist in default schema. After the schema extention, If you are using MAC OSX server, you can use “inspector mode” to assign VLANs to your users directly from server admin GUI with radiusTunnelPrivateGroupId attribute. During authentication process a LDAP query can be done to find the VLAN value of the user who is trying to connect
The files related with this process are:
/etc/openldap/slapd.conf
include /etc/openldap/schema/radius.schema
slaptest -f slapd.conf -F slapd.d
with this command radius.schema file can be converted in to radius.ldif form, but the file name and some part of the file need to be changed accordingly.
Wrong file name: cn={9}radius.ldif
Correct file name: cn={10}radius.ldif , parameter in this file need to change as per below:
dn: cn={9}radius -> dn: cn={10}radius
cn={9}radius -> cn={10}radius
LDAP service or server need to be restarted and now creating or deleting of attributes can be tested, for this purpose diradmin credential is required.
dscl
cd LDAPv3/127.0.0.1
auth diradmin abc123
cd Groups/vlan200
create . radiusTunnelPrivateGroupId 210
delete . radiusTunnelPrivateGroupId 210
create . radiusTunnelPrivateGroupId 200
LDAP modul configuration
For LDAP query, LDAP module need to be prepared, LDAP module actually called inside “inner-tunnel” and the return value is assigned as VLAN-ID. Only the parameters which are changing listed, the other part of the file should be leaved intact.
basedn need to be written according to production environment.
/private/etc/raddb/modules/ldap
ldap {
server = “server.uni.edu”
identity = “uid=diradmin,cn=users,dc=server,dc=uni,dc=edu”
password = abc123
basedn = “dc=uni,dc=edu”
filter = “(uid=%{User-Name})”
base_filter = “(objectclass=radiusprofile)”
set_auth_type = no
}
/Private/etc/raddb/ldap.attrmap
checkItem User-Name uid
replyItem Tunnel-Type radiusTunnelType
replyItem Tunnel-Medium-Type radiusTunnelMediumType
replyItem Tunnel-Private-Group-Id radiusTunnelPrivateGroupId