unlang post-auth group-name

Cameron Wood cameron.e.wood at gmail.com
Sun Sep 26 12:47:52 CEST 2010 

Thanks for explaining that Phil, appreciate it.

I had come to the conclusion that I couldn't enclose these references
because it was trying to expand them and thus expecting them to have a
single value. Similarly I couldn't assign from them because of this same
reason. But still I was missing the point that you made, that these
references implement their own == routine to accomplish these comparisons. I
hadn't dealt with Operator Overloading before either so that helped put that
in perspective when I looked that up.

I'm still completely stumped though why I can't get any joy from my
comparisons using the following IF statement

        if (Group-Name == 'net_su') {
                update control {
                        Tmp-String-2 := 'net_su'
                }
        }


The Group-Name checks I have in my Users file return as expected, but I
couldn't see any reason why they aren't working here from the output of my
debug log below

[ldap] performing user authorization for cameron
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  expand: %{User-Name} -> cameron
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=cameron)
[ldap]  expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 0
rlm_ldap: bind as / to kenrose.ac3.com.au:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter
(uid=cameron)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user cameron authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
++? if (Ldap-Group == 'net_su')
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au
        expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter
(&(cn=net_su)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group net_su not found or user is not a member.
? Evaluating (Ldap-Group == 'net_su') -> FALSE
++? if (Ldap-Group == 'net_su') -> FALSE
++? if (Group-Name == 'net_su')
? Evaluating (Group-Name == 'net_su') -> FALSE
++? if (Group-Name == 'net_su') -> FALSE
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "cameron" with password "password123
[ldap] user DN: uid=cameron,ou=People,dc=ac3,dc=com,dc=au
rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 1
rlm_ldap: bind as uid=cameron,ou=People,dc=ac3,dc=com,dc=au/password123 to
kenrose.ac3.com.au:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user cameron authenticated succesfully
++[ldap] returns ok


The only thing I could think of is that the LDAP settings aren't correct and
hence not finding my group memberships, but if this is the case how does
Group-Name when used in the Users file find my assigned groups and
successfully compares them?


Regards
Cam.
--





On Sun, Sep 26, 2010 at 19:01, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 09/26/2010 03:08 AM, Cameron Wood wrote:
>
>> Thank you Alan B & Alan D for your comments, and I'll make sure to
>> include the full, complete debug output log in future.
>>
>> I don't think the logic of my example has changed since my earlier post,
>> but I admittedly have tried encasing it in %{...} and adding a list to
>> it as well to try and get it to compare against the right data.
>>
>
> That *is* a logic change.
>
> To be clear: The Group-Name attribute, along with similar attributes
> (SQL-Group, LDAP-Group) does not have a "value". You cannot have it on the
> right hand side of an operator.
>
> The only valid location for these attributes is on the left hand side of an
> == operator, because internally they "hook" tne == operator, and do this:
>
> for group in all_groups:
>  if group == right-hand-side
>    return True
> return False
>
> So, this is valid in an "unlang" block:
>
> if (Group-Name == ANYVALUE)
>
> ...but ANYTHING alse you might try is not. In particular, none of the
> following will work:
>
> if ("%{Group-Name]" ...)
>
> update control {
>  An-Attribute = "%{Group-Name}"
> }
> if (An-Attribute)
>
> ...and so on.
>
>
>
>  Is the comparison in the right location, in the Authorize section, and
>> if so am I trying to compare against the wrong attribute, hence it
>> getting expanded and not returning anything?
>>
>> Alan D could you shed some light on how the Group-Name attribute in
>> Users is populated/gets compared when doing checks there?
>>
>
> It does not get "populated". The attribute implements its own == handler,
> which operates as above.
>
>
>
>> I suspect from your comment that the field I am trying to check against
>> since you say it can contain many values "because the user may be a
>> member of many, many, groups" could be a long string with separators or
>> an array of values, would this be right? In which case do I need to use
>> a regex method or access a specific value within an array?
>>
>
> No. See above. It does NOT have a "value".
>
> Do you know any programming languages? If so, think "operator overloading".
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100926/13f3ae73/attachment.html>

More information about the Freeradius-Users mailing list