Checking ldap-group in post-auth instead of users file ?

Fred MAISON fred.maison at gmail.com
Tue Jun 1 15:43:41 CEST 2010 

I surely misunderstand something : in my test :
User is found on ldap in group wireless, but (Ldap-Group != "wireless")
evaluates to TRUE ...
NOTE : user has multiple radiusgroupname 

+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++? if (Ldap-Group != "wireless")
  [ldap] Entering ldap_groupcmp()
        expand: dc=corp,dc=carrefour,dc=com ->
dc=corp,dc=carrefour,dc=com
        expand: %{Stripped-User-Name} ->
        ... expanding second conditional
        expand: %{User-Name} -> stephane_deroch
        expand: (&(uid=
%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusProfile)) ->
(&(uid=stephane_deroch)(objectclass=radiusProfile))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=corp,dc=carrefour,dc=com, with filter
(&(radiusGroupName=wireless)(&(uid=stephane_deroch)(objectclass=radiusProfile)))
rlm_ldap::ldap_groupcmp: User found in group wireless
  [ldap] ldap_release_conn: Release Id: 0
? Evaluating (Ldap-Group != "wireless") -> TRUE
++? if (Ldap-Group != "wireless") -> TRUE
++- entering if (Ldap-Group != "wireless") {...}
+++[control] returns noop
+++[reject] returns reject
++- if (Ldap-Group != "wireless") returns reject
} # server inner-tunnel
[peap] Got tunneled reply code 3



Le mardi 01 juin 2010 à 15:23 +0200, Alan DeKok a écrit :
> Fred MAISON wrote:
> > How can i make checks on ldap radiusgroupnale without using the user
> > file ?
> 
>   Use attribute comparisons just like the "users" file.
> 
> > I have not been able to place somthing like this in the post-auth
> > section of inner-tunnel ...
> >               if ( "%{control:Ldap-Group}" == "wireless" )  {
> 
>   This isn't like the "users" file.
> 
> 	if (LDAP-Group == "wireless") {
> 		...
> 	}
> 
>   The extra "${control:...}" text isn't necessary.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list