Thanks for the link Peter, I'm talking over the possibility of this with the people who run LDAP at my organisation. <br clear="all"><br><br>Regards<br>Cam. <br>--<br><br><br><br><br><br>
<br><br><div class="gmail_quote">On Mon, Sep 27, 2010 at 04:30, Peter Lambrechtsen <span dir="ltr"><<a href="mailto:plambrechtsen@gmail.com">plambrechtsen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
If he is using LDAP then my prior post about the howto would work for him:<br><br><a href="https://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html" target="_blank">https://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html</a><div>
<div></div><div class="h5"><br>
<br><br><br><div class="gmail_quote">On Mon, Sep 27, 2010 at 6:48 AM, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div>On 09/26/2010 11:47 AM, Cameron Wood wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
I'm still completely stumped though why I can't get any joy from my<br>
comparisons using the following IF statement<br>
<br>
if (Group-Name == 'net_su') {<br>
update control {<br>
Tmp-String-2 := 'net_su'<br>
}<br>
}<br>
<br>
<br>
The Group-Name checks I have in my Users file return as expected, but I<br>
couldn't see any reason why they aren't working here from the output of<br>
my debug log below<br>
</blockquote>
<br></div>
Are we talking about Group-Name (which is implemented by the "unix" module and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)?<br>
<br>
Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!<br>
<br>
Below you show an attempt to match both in turn. For Group-Name, the comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching.<br>
<br>
For Ldap-Group; the issue seems to be that when the group comparison is done, "Ldap-UserDn" is null. I don't see how that is possible in the source code, but...<br>
<br>
You've only posted a subset of the debug output; seriously, please don't trim it. You want to do something like:<br>
<br>
/usr/sbin/radiusd -X | tee log<br>
# make your login/radius request in another window, then<br>
# Ctrl+C<br>
<br>
...and send the contents of "log".<br>
<br>
If you are trying to match (unix) Group-Name, you will need to ensure the "unix" module is present and instantiated in the config - either by ensuring it's present in the "authorize" section, or if you don't want to run it, putting it in the "instantiate" section of radiusd.conf<br>
<br>
If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated.<br>
<br>
Either way, we keep getting partial info from you, so it's hard to help. A full "radiusd -X" debug will allow us to see exactly what the full module config, load order and processing chain for a request is. Help us to help you ;o)<br>
<br>
Cheers,<br><font color="#888888">
Phil</font><div><div></div><div><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>
</div></div><br>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>