Thanks for explaining that Phil, appreciate it.

I had come to the conclusion that I couldn't enclose these references because it was trying to expand them and thus expecting them to have a single value. Similarly I couldn't assign from them because of this same reason. But still I was missing the point that you made, that these references implement their own == routine to accomplish these comparisons. I hadn't dealt with Operator Overloading before either so that helped put that in perspective when I looked that up.

I'm still completely stumped though why I can't get any joy from my comparisons using the following IF statement

        if (Group-Name == 'net_su') {
                update control {
                        Tmp-String-2 := 'net_su'
                }
        }


The Group-Name checks I have in my Users file return as expected, but I couldn't see any reason why they aren't working here from the output of my debug log below

[ldap] performing user authorization for cameron
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  expand: %{User-Name} -> cameron
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cameron)
[ldap]  expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 0
rlm_ldap: bind as / to kenrose.ac3.com.au:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (uid=cameron)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user cameron authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
++? if (Ldap-Group == 'net_su')
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au
        expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (&(cn=net_su)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group net_su not found or user is not a member.
? Evaluating (Ldap-Group == 'net_su') -> FALSE
++? if (Ldap-Group == 'net_su') -> FALSE
++? if (Group-Name == 'net_su')
? Evaluating (Group-Name == 'net_su') -> FALSE
++? if (Group-Name == 'net_su') -> FALSE
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "cameron" with password "password123
[ldap] user DN: uid=cameron,ou=People,dc=ac3,dc=com,dc=au
rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 1
rlm_ldap: bind as uid=cameron,ou=People,dc=ac3,dc=com,dc=au/password123 to kenrose.ac3.com.au:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user cameron authenticated succesfully
++[ldap] returns ok


The only thing I could think of is that the LDAP settings aren't correct and hence not finding my group memberships, but if this is the case how does Group-Name when used in the Users file find my assigned groups and successfully compares them?


Regards
Cam.
--





On Sun, Sep 26, 2010 at 19:01, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 09/26/2010 03:08 AM, Cameron Wood wrote:
Thank you Alan B & Alan D for your comments, and I'll make sure to
include the full, complete debug output log in future.

I don't think the logic of my example has changed since my earlier post,
but I admittedly have tried encasing it in %{...} and adding a list to
it as well to try and get it to compare against the right data.

That *is* a logic change.

To be clear: The Group-Name attribute, along with similar attributes (SQL-Group, LDAP-Group) does not have a "value". You cannot have it on the right hand side of an operator.

The only valid location for these attributes is on the left hand side of an == operator, because internally they "hook" tne == operator, and do this:

for group in all_groups:
 if group == right-hand-side
   return True
return False

So, this is valid in an "unlang" block:

if (Group-Name == ANYVALUE)

...but ANYTHING alse you might try is not. In particular, none of the following will work:

if ("%{Group-Name]" ...)

update control {
 An-Attribute = "%{Group-Name}"
}
if (An-Attribute)

...and so on.



Is the comparison in the right location, in the Authorize section, and
if so am I trying to compare against the wrong attribute, hence it
getting expanded and not returning anything?

Alan D could you shed some light on how the Group-Name attribute in
Users is populated/gets compared when doing checks there?

It does not get "populated". The attribute implements its own == handler, which operates as above.



I suspect from your comment that the field I am trying to check against
since you say it can contain many values "because the user may be a
member of many, many, groups" could be a long string with separators or
an array of values, would this be right? In which case do I need to use
a regex method or access a specific value within an array?

No. See above. It does NOT have a "value".

Do you know any programming languages? If so, think "operator overloading".

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html