On Aug 15, 2019, at 12:27 PM, Mike Ely <me@mikeely.org> wrote:
Thanks for that. Unfortunately it appears that this only works against the primary group.
Hmm... that then is likely an issue with the underlying password / group store.
Here's the stanza I have in sites-enabled/default:
if (Group == "ipmi") { accept } else { update reply { Reply-Message = "User not allowed to connect to this device" } reject }
When trying to auth with a user who is very much part of the "ipmi" group: (0) if (Group == "ipmi") { (0) if (Group == "ipmi") -> FALSE
After switching the Group check to "Domain Users" (0) if (Group == "Domain Users") { (0) if (Group == "Domain Users") -> TRUE
Is there a known issue surrounding this and if so what if any workaround should I be looking for?
For "Group == foo", the Unix module does: - if primary group is "foo", return "match" - get group "foo" - walk through the list of members seeing if User-Name is a member - if User-Name is a member, return "match" - otherwise return "no match" Alan DeKok.