For example, there are 2 users in the LDAP database and SBR is able to successfully authenticate both users. However, it is required that one of these users should get read-only access and the other user should get read-write access on a switch that they are accessing.
As the users are located in an external database, the return list attribute mapping to the users cannot be done directly; the procedure to do so is as follows:Note : Make sure that LDAP authentication is working in SBR, before proceeding with the following procedure.
- Create two profiles in SBR administrator - profile1 and profile2. Configure the read-only attribute as the return list attribute in profile1 and read-write attribute in profile2.
- In the LDAP server, select two users to perform this testing; for example, User1 and User2. User1 should be given read-only access and User2 should be given read-write access.
- In the LDAP server, select a common LDAP attribute for both the users for Radius authorization; for example, the department attribute in the LDAP server.
- Configure the department attribute for user1 with the profile1 value (as created in the SBR admin GUI) and for user2, use the profile2 value (as created in the SBR admin GUI) on the LDAP server.
- In the LDAPauth.aut file and under the [Response] section, add the following entry:
%Profile = department
- Restart the SBR service.