Users-file and LDAP backend mixing questions
Куприянов Максим
max2k1 at yandex.ru
Wed Jan 21 07:49:57 CET 2009
> OK. Let's backtrack. Something is wrong here.
> Try unlang: if (!control:Ldap-Group) { ...
>
>
> I have done this with Auth-Type before and it works. But you say that
> this is active regardles of user being in ldap group or not. Try this:
>
> ldap
>
> if(!control:Ldap-Group) {
> }
> update control {
> Ldap-Group = "something"
> }
> if(!control:Ldap-Group) {
> }
>
> It looks to me that your ldap module is not populating Ldap-Group.
>
> Ivan Kalik
> Kalik Informatika ISP
>
You're right. This is a test results for user, who for sure belongs to some groups:
Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group)
Wed Jan 21 11:27:35 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE
Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE
Wed Jan 21 11:27:35 2009 : Info: ++++- entering if (!control:Ldap-Group) {...}
Wed Jan 21 11:27:35 2009 : Info: +++++- if (!control:Ldap-Group) returns notfound
Wed Jan 21 11:27:35 2009 : Info: ++++- if (ok) returns notfound
Wed Jan 21 11:27:35 2009 : Info: ++++[control] returns notfound
Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group)
Wed Jan 21 11:27:35 2009 : Info: ? Evaluating !(control:Ldap-Group) -> TRUE
Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) -> FALSE
Wed Jan 21 11:27:35 2009 : Info: +++- if (ok) returns notfound
Another example with such a config:
if(control:Ldap-Group == "telnet") {
}
if(Ldap-Group == "telnet") {
}
if(!Ldap-Group) {
}
if(!control:Ldap-Group) {
}
Wed Jan 21 11:44:18 2009 : Info: ++++? if (control:Ldap-Group == "telnet")
Wed Jan 21 11:44:18 2009 : Info: (Attribute control:Ldap-Group was not found)
Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet")
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: Entering ldap_groupcmp()
Wed Jan 21 11:44:18 2009 : Info: expand: o=myorg -> o=myorg
Wed Jan 21 11:44:18 2009 : Info: expand: (&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))) -> (&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))))
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: performing search in o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2co\3dmyorg)))))
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Jan 21 11:44:18 2009 : Info: ? Evaluating (Ldap-Group == "telnet") -> TRUE
Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet") -> TRUE
Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (Ldap-Group == "telnet") {...}
Wed Jan 21 11:44:18 2009 : Info: +++++- if (Ldap-Group == "telnet") returns notfound
Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound
Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group)
Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(Ldap-Group) -> FALSE
Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group) -> TRUE
Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!Ldap-Group) {...}
Wed Jan 21 11:44:18 2009 : Info: +++++- if (!Ldap-Group) returns notfound
Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound
Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group)
Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE
Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE
Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!control:Ldap-Group) {...}
Wed Jan 21 11:44:18 2009 : Info: +++++[ok] returns ok
Wed Jan 21 11:44:18 2009 : Info: ++++- if (!control:Ldap-Group) returns ok
More information about the Freeradius-Users
mailing list