Users-file and LDAP backend mixing questions

Mon Jan 19 15:25:55 CET 2009

19.01.09, 16:52, tnt at kalik.net:

> >> > 3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :(
> Try unlang: if (!control:Ldap-Group) { ...
> Ivan Kalik
> Kalik Informatika ISP
> -

It doesn't work. For example, user for sure belongs to some LDAP-group:
Mon Jan 19 19:16:42 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dmax\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dmax\2cou\3dradius\2co\3dmyorg)))))
Mon Jan 19 19:16:42 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet

Here is a part of my test configuration from authorize section:
if (!Ldap-Group) {
        ok
}
if (!control:Ldap-Group) {
        ok
}
if (!request:Ldap-Group) {
        ok
}
if (!reply:Ldap-Group) {
        ok
}
if (!config:Ldap-Group) {
        ok
}
Here're results from -X:
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!Ldap-Group)
Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(Ldap-Group) -> FALSE
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!Ldap-Group) -> TRUE
Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!Ldap-Group) {...}
Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++- if (!Ldap-Group) returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!control:Ldap-Group)
Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE
Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!control:Ldap-Group) {...}
Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++- if (!control:Ldap-Group) returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!request:Ldap-Group)
Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(request:Ldap-Group) -> FALSE
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!request:Ldap-Group) -> TRUE
Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!request:Ldap-Group) {...}
Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++- if (!request:Ldap-Group) returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!reply:Ldap-Group)
Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(reply:Ldap-Group) -> FALSE
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!reply:Ldap-Group) -> TRUE
Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!reply:Ldap-Group) {...}
Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++- if (!reply:Ldap-Group) returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!config:Ldap-Group)
Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(config:Ldap-Group) -> FALSE
Mon Jan 19 19:16:42 2009 : Info: ++++? if (!config:Ldap-Group) -> TRUE
Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!config:Ldap-Group) {...}
Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok
Mon Jan 19 19:16:42 2009 : Info: ++++- if (!config:Ldap-Group) returns ok
Mon Jan 19 19:16:42 2009 : Info: +++- if (ok) returns ok

I've also tried Ldap-Group != "*", which always should return something for that user. But LDAP backend can only deal with one-record-only results :(

---
Maxim