Operator "!=" not allowed for LDAP group comparisons
Hi, how can I reject an ldap user if it is not member of a group by using the users file? I tried this: DEFAULT NAS-Identifier == "openVPN", LDAP-Group != "01-PL-Allow-VPN", Auth-Type := Reject But in the logs I see this: ERROR: files: Operator "!=" not allowed for LDAP group comparisons
On Feb 17, 2025, at 1:32 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi, how can I reject an ldap user if it is not member of a group by using the users file?
Use a policy in unlink.
But in the logs I see this:
ERROR: files: Operator "!=" not allowed for LDAP group comparisons
Exactly. In a policy, you can do: if (!(LDAP-Group == "foo") ... This is a limitation of the way the LDAP-Group attribute is implemented, and how the "users" file works. Alan DeKok.
What is unlink, a file or module? I don't have this in my installation (FreeRADIUS Version 3.2.1) if (!(LDAP-Group == "foo") Where exactly I put this: in sites-enabled/default? I think I could invert the logic to keep using the users file right? Something like this: DEFAULT NAS-Identifier == "openVPN", LDAP-Group == "01-PL-Allow-VPN", Auth-Type := Accept An then set the auth-type to reject for everyone else: DEFAULT Auth-Type := Reject Thanks Em segunda-feira, 17 de fevereiro de 2025 às 15:42:54 BRT, Alan DeKok <aland@deployingradius.com> escreveu: On Feb 17, 2025, at 1:32 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hi, how can I reject an ldap user if it is not member of a group by using the users file?
Use a policy in unlink.
But in the logs I see this:
ERROR: files: Operator "!=" not allowed for LDAP group comparisons
Exactly. In a policy, you can do: if (!(LDAP-Group == "foo") ... This is a limitation of the way the LDAP-Group attribute is implemented, and how the "users" file works. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
Rodrigo Antunes