Users-file and LDAP backend mixing questions

Куприянов Максим max2k1 at yandex.ru
Tue Jan 20 07:09:29 CET 2009


19.01.09, 18:13, tnt at kalik.net:

> >> >> > 3. Also i need a reject rule for those users, who was authenticated by LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but this attribute always exists for every user :(
> >> Try unlang: if (!control:Ldap-Group) { ...
> >> -
> >
> >It doesn't work. For example, user for sure belongs to some LDAP-group:
> Hm, and you are sure that empty string value check:
> if('%{control:Ldap-Group}' != "") { ...
> isn't working?

Quote from "default" file:
authorize {
..
ldap
if (ok) {
	if("%{control:Ldap-Group}" != "") {
		ok
	}
}
..
}

Quote from "users" file (for group existence testing):
..
DEFAULT	Framed-Protocol !* any, Ldap-Group == "telnet"
..

Example 1: User belongs to one group:
$ ldapsearch -x cn=test_user groupMembership | grep radius
groupMembership: cn=telnet,ou=profiles,ou=radius,o=myorg
$ radiusd -X -xx -s
..
Tue Jan 20 10:42:26 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg)))))
Tue Jan 20 10:42:27 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet
Tue Jan 20 10:42:27 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
..
Tue Jan 20 10:42:27 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "")
Tue Jan 20 10:42:27 2009 : Info:        expand: %{control:Ldap-Group} ->
Tue Jan 20 10:42:27 2009 : Info: ? Evaluating ("%{control:Ldap-Group}" != "") -> FALSE
Tue Jan 20 10:42:27 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") -> FALSE
..

Example 2: User does not belong to any group:
$ ldapsearch -x cn=test_user groupMembership uid | egrep "(uid|radius)"
# requesting: groupMembership uid
uid: test_user
$ radiusd -X -xx -s
..
Tue Jan 20 10:49:57 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg)))))
Tue Jan 20 10:49:57 2009 : Debug: rlm_ldap: object not found or got ambiguous search result
..
Tue Jan 20 10:49:57 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "")
Tue Jan 20 10:49:57 2009 : Info:        expand: %{control:Ldap-Group} ->
Tue Jan 20 10:49:57 2009 : Info: ? Evaluating ("%{control:Ldap-Group}" != "") -> FALSE
Tue Jan 20 10:49:57 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") -> FALSE
..

---
Maxim



More information about the Freeradius-Users mailing list