On 09/26/2010 03:08 AM, Cameron Wood wrote:
Thank you Alan B & Alan D for your comments, and I'll make sure to include the full, complete debug output log in future.
I don't think the logic of my example has changed since my earlier post, but I admittedly have tried encasing it in %{...} and adding a list to it as well to try and get it to compare against the right data.
That *is* a logic change. To be clear: The Group-Name attribute, along with similar attributes (SQL-Group, LDAP-Group) does not have a "value". You cannot have it on the right hand side of an operator. The only valid location for these attributes is on the left hand side of an == operator, because internally they "hook" tne == operator, and do this: for group in all_groups: if group == right-hand-side return True return False So, this is valid in an "unlang" block: if (Group-Name == ANYVALUE) ...but ANYTHING alse you might try is not. In particular, none of the following will work: if ("%{Group-Name]" ...) update control { An-Attribute = "%{Group-Name}" } if (An-Attribute) ...and so on.
Is the comparison in the right location, in the Authorize section, and if so am I trying to compare against the wrong attribute, hence it getting expanded and not returning anything?
Alan D could you shed some light on how the Group-Name attribute in Users is populated/gets compared when doing checks there?
It does not get "populated". The attribute implements its own == handler, which operates as above.
I suspect from your comment that the field I am trying to check against since you say it can contain many values "because the user may be a member of many, many, groups" could be a long string with separators or an array of values, would this be right? In which case do I need to use a regex method or access a specific value within an array?
No. See above. It does NOT have a "value". Do you know any programming languages? If so, think "operator overloading".