On Jun 11, 2020, at 10:15 AM, Jérôme BERTHIER <Jerome.Berthier@inria.fr> wrote:
I wrote an authorize policy used to update some VPN attributes against specific ldap groups.
I see a different behavior when I use a "switch case" logic versus using "if" condition.
When using "switch case", the ldap module is not called. So, the ldap group is not populated and the test doesn't work.
But if I do the same test using an "if" condition then it works.
Because LDAP-Group is really a short-hand for "search ldap". The LDAP-Group attribute doesn't have one particular value.
Configuration using "switch case" - not working in authorize section :
switch &Ldap-group {
if the user is in 4 groups, which "case" statement should it choose? a) only one. If so, which one? b) all match ones, if so, why? Just use "if" statements. Because they make sense. Alan DeKok.