Generate subrealm based on an eduPersonEntitlement atttribute

[chrohrer]

As an organisation I want the user to get a realm based on the value of an eduPersonEntitlement attribute so I can do granular VLAN assignment based on this realm

Possiible example values

• http://unidemo.ch/geteduroam/4014
• https://unidemo-ch.get.eduroam.org/vlan4014
• ch:unidemo:eduroam:vl:4014

[pauldekkers]

One of the issues with this is that it's hard to change the value; I think this is why we currently implement it by role/affiliation, in such a way that we add a prefix of "student." to the realm, because that may survive a network redesign better. Is there a good reason to really make it a specific VLAN value?

(I'd argue that if it's a role, it's trivial to assign a pool of VLANs from your internal system better?)

Anyway, thinking out loud; the part that we didn't really implement is taking the value out of a part of the attribute value (just the entire value, like in the case of affiliation - yet in most cases we hardwire).

[chrohrer]

Doesn't necessarily have to be the specific VLAN value, the only requirement is that the value can be used as a subrealm.

Would it be easier if we'd use the isMemberOf attribute, which doesn't have a controlled vocabulary (eduPersonEntitlement needs to be a URI)? This way we could for example use a value in the form geteduroam-4014 (or 'vlan-4014') and use this to make a realm of @geteduroam-4014.unidemo-ch.get.eduroam.org

[pauldekkers]

Hmm, and what if it's multi-value?

[chrohrer]

Filter for a specific prefix, geteduroam- in the example above - and use the first value that conforms to it?