unlang post-auth group-name

Cameron Wood cameron.e.wood at gmail.com
Sat Oct 2 14:27:18 CEST 2010 

>
> note the "rlm_ldap: ldap_search() failed: Bad search filter" line
>

Thanks for pointing that out for me Alan, I missed that in the debug log.


Two main reasons: firstly, doing the LDAP lookups indirectly via rlm_unix is
> difficult to debug (as we are finding)
>
> Secondly, doing the LDAP lookups directly gives you a more rich interface
> to the underlying LDAP data. Doing it via rlm_unix limits you to schema
> elements present in the posix LDAP schema and get*ent calls
>

Those both make perfect sense, thanks for explaining that Phil.


I finally got this working with the following groupmembership_filter...

"(&(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>


Thanks again to those who helped me with this, it's appreciated.


Regards
Cameron.
--







On Mon, Sep 27, 2010 at 22:44, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 27/09/10 11:44, Cameron Wood wrote:
>
>     groupname_attribute = cn
>>    groupmembership_filter =
>>
>>  "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))"
>>    groupmembership_attribute = radiusGroupName
>>
>>
>> Attached is a debug log of my logon attempts with these settings, which
>> still fails unfortunately.
>>
>
> The filter is invalid. You're missing a trailing ")" which is easily done
> in the stupid LDAP filter syntax.
>
>
>
>>
>>    If you can query LDAP directly, do so. Do not use rlm_unix for LDAP
>>    queries, even if nssswitch is setup for it.
>>
>>
>> Noted, are you able to elaborate on why this is the case though, just
>> like to understand, only if its not too much trouble though.
>>
>
> Two main reasons: firstly, doing the LDAP lookups indirectly via rlm_unix
> is difficult to debug (as we are finding).
>
> Secondly, doing the LDAP lookups directly gives you a more rich interface
> to the underlying LDAP data. Doing it via rlm_unix limits you to schema
> elements present in the posix LDAP schema and get*ent calls.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101002/ab13df4d/attachment.html>

More information about the Freeradius-Users mailing list