<blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">/usr/sbin/radiusd -X | tee log<br>
# make your login/radius request in another window, then<br>
# Ctrl+C<br clear="all"></blockquote><br>Thanks for that suggestion, I hadn't actually used 'tee' before, so that will help me make sure I have a full debug log each time. <br><br><br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">
Are we talking about Group-Name (which is implemented by the "unix"
module and comes from /etc/group) or Ldap-Group (which is implemented by
the ldap module and comes from ldap lookups)?<br>
Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!<br></blockquote>
<br>I honestly don't know which one I should be using; the information is in LDAP, the local system is configured for LDAP and issuing the groups command returns the local and LDAP groups the user is assigned to. Would this suggest that I could just use Group-Name, making use of the unix module? <br>
<br><br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">Below you show an attempt to match both in turn. For Group-Name, the
comparison seems to fail; implying that either the "unix" module isn't
configured/loaded or the username isn't in the group you're matching.<br></blockquote><br>I read through the debug log to check that the unix module is getting loaded, which it appears to be, I'm not aware of any configuration that needs to be provided for that module, is there any? As for the user being in the group that is definitely the case, I have verified this locally on the system, and the Group-Name comparison in Users succeeds for this case. <br>
<br><br><blockquote style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;" class="gmail_quote">If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated.<br>
</blockquote><br>This I am looking into, to my knowledge it is correctly setup as there are lots of other systems around our organisation that are referencing this successfully, but I wonder if the LDAP module is configured correctly, maybe there is a problem with the search string/query? <br>
<br><br>Regards<br>Cam. <br>--<br><br><br><br><br><br>
<br><br><div class="gmail_quote">On Mon, Sep 27, 2010 at 03:48, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">On 09/26/2010 11:47 AM, Cameron Wood wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>
I'm still completely stumped though why I can't get any joy from my<br>
comparisons using the following IF statement<br>
<br>
if (Group-Name == 'net_su') {<br>
update control {<br>
Tmp-String-2 := 'net_su'<br>
}<br>
}<br>
<br>
<br>
The Group-Name checks I have in my Users file return as expected, but I<br>
couldn't see any reason why they aren't working here from the output of<br>
my debug log below<br>
</blockquote>
<br></div>
Are we talking about Group-Name (which is implemented by the "unix" module and comes from /etc/group) or Ldap-Group (which is implemented by the ldap module and comes from ldap lookups)?<br>
<br>
Both implement their own == hooks so the same constraints apply, but the difference is relevant of course!<br>
<br>
Below you show an attempt to match both in turn. For Group-Name, the comparison seems to fail; implying that either the "unix" module isn't configured/loaded or the username isn't in the group you're matching.<br>
<br>
For Ldap-Group; the issue seems to be that when the group comparison is done, "Ldap-UserDn" is null. I don't see how that is possible in the source code, but...<br>
<br>
You've only posted a subset of the debug output; seriously, please don't trim it. You want to do something like:<br>
<br>
/usr/sbin/radiusd -X | tee log<br>
# make your login/radius request in another window, then<br>
# Ctrl+C<br>
<br>
...and send the contents of "log". <br>
<br>
If you are trying to match (unix) Group-Name, you will need to ensure the "unix" module is present and instantiated in the config - either by ensuring it's present in the "authorize" section, or if you don't want to run it, putting it in the "instantiate" section of radiusd.conf<br>
<br>
If you are trying to match (ldap) Ldap-Group, you will need to ensure that the LDAP directory is correctly populated.<br>
<br>
Either way, we keep getting partial info from you, so it's hard to help. A full "radiusd -X" debug will allow us to see exactly what the full module config, load order and processing chain for a request is. Help us to help you ;o)<br>
<br>
Cheers,<br><font color="#888888">
Phil</font><div><div></div><div class="h5"><br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>