unlang post-auth group-name

[Phil Mayers]

On 09/26/2010 03:08 AM, Cameron Wood wrote:
> Thank you Alan B & Alan D for your comments, and I'll make sure to
> include the full, complete debug output log in future.
>
> I don't think the logic of my example has changed since my earlier post,
> but I admittedly have tried encasing it in %{...} and adding a list to
> it as well to try and get it to compare against the right data.

That *is* a logic change.

To be clear: The Group-Name attribute, along with similar attributes 
(SQL-Group, LDAP-Group) does not have a "value". You cannot have it on 
the right hand side of an operator.

The only valid location for these attributes is on the left hand side of 
an == operator, because internally they "hook" tne == operator, and do this:

for group in all_groups:
   if group == right-hand-side
     return True
return False

So, this is valid in an "unlang" block:

if (Group-Name == ANYVALUE)

...but ANYTHING alse you might try is not. In particular, none of the 
following will work:

if ("%{Group-Name]" ...)

update control {
   An-Attribute = "%{Group-Name}"
}
if (An-Attribute)

...and so on.


> Is the comparison in the right location, in the Authorize section, and
> if so am I trying to compare against the wrong attribute, hence it
> getting expanded and not returning anything?
>
> Alan D could you shed some light on how the Group-Name attribute in
> Users is populated/gets compared when doing checks there?

It does not get "populated". The attribute implements its own == 
handler, which operates as above.

>
> I suspect from your comment that the field I am trying to check against
> since you say it can contain many values "because the user may be a
> member of many, many, groups" could be a long string with separators or
> an array of values, would this be right? In which case do I need to use
> a regex method or access a specific value within an array?

No. See above. It does NOT have a "value".

Do you know any programming languages? If so, think "operator overloading".