Thanks for explaining that Phil, appreciate it. I had come to the conclusion that I couldn't enclose these references because it was trying to expand them and thus expecting them to have a single value. Similarly I couldn't assign from them because of this same reason. But still I was missing the point that you made, that these references implement their own == routine to accomplish these comparisons. I hadn't dealt with Operator Overloading before either so that helped put that in perspective when I looked that up. I'm still completely stumped though why I can't get any joy from my comparisons using the following IF statement if (Group-Name == 'net_su') { update control { Tmp-String-2 := 'net_su' } } The Group-Name checks I have in my Users file return as expected, but I couldn't see any reason why they aren't working here from the output of my debug log below [ldap] performing user authorization for cameron [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> cameron [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cameron) [ldap] expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 0 rlm_ldap: bind as / to kenrose.ac3.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (uid=cameron) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user cameron authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop ++? if (Ldap-Group == 'net_su') rlm_ldap: Entering ldap_groupcmp() expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (&(cn=net_su)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group net_su not found or user is not a member. ? Evaluating (Ldap-Group == 'net_su') -> FALSE ++? if (Ldap-Group == 'net_su') -> FALSE ++? if (Group-Name == 'net_su') ? Evaluating (Group-Name == 'net_su') -> FALSE ++? if (Group-Name == 'net_su') -> FALSE Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "cameron" with password "password123 [ldap] user DN: uid=cameron,ou=People,dc=ac3,dc=com,dc=au rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 1 rlm_ldap: bind as uid=cameron,ou=People,dc=ac3,dc=com,dc=au/password123 to kenrose.ac3.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user cameron authenticated succesfully ++[ldap] returns ok The only thing I could think of is that the LDAP settings aren't correct and hence not finding my group memberships, but if this is the case how does Group-Name when used in the Users file find my assigned groups and successfully compares them? Regards Cam. -- On Sun, Sep 26, 2010 at 19:01, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 09/26/2010 03:08 AM, Cameron Wood wrote:
Thank you Alan B & Alan D for your comments, and I'll make sure to include the full, complete debug output log in future.
I don't think the logic of my example has changed since my earlier post, but I admittedly have tried encasing it in %{...} and adding a list to it as well to try and get it to compare against the right data.
That *is* a logic change.
To be clear: The Group-Name attribute, along with similar attributes (SQL-Group, LDAP-Group) does not have a "value". You cannot have it on the right hand side of an operator.
The only valid location for these attributes is on the left hand side of an == operator, because internally they "hook" tne == operator, and do this:
for group in all_groups: if group == right-hand-side return True return False
So, this is valid in an "unlang" block:
if (Group-Name == ANYVALUE)
...but ANYTHING alse you might try is not. In particular, none of the following will work:
if ("%{Group-Name]" ...)
update control { An-Attribute = "%{Group-Name}" } if (An-Attribute)
...and so on.
Is the comparison in the right location, in the Authorize section, and
if so am I trying to compare against the wrong attribute, hence it getting expanded and not returning anything?
Alan D could you shed some light on how the Group-Name attribute in Users is populated/gets compared when doing checks there?
It does not get "populated". The attribute implements its own == handler, which operates as above.
I suspect from your comment that the field I am trying to check against since you say it can contain many values "because the user may be a member of many, many, groups" could be a long string with separators or an array of values, would this be right? In which case do I need to use a regex method or access a specific value within an array?
No. See above. It does NOT have a "value".
Do you know any programming languages? If so, think "operator overloading".
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html