unlang post-auth group-name
Phil Mayers
p.mayers at imperial.ac.uk
Sun Sep 26 19:48:46 CEST 2010
On 09/26/2010 11:47 AM, Cameron Wood wrote:
>
> I'm still completely stumped though why I can't get any joy from my
> comparisons using the following IF statement
>
> if (Group-Name == 'net_su') {
> update control {
> Tmp-String-2 := 'net_su'
> }
> }
>
>
> The Group-Name checks I have in my Users file return as expected, but I
> couldn't see any reason why they aren't working here from the output of
> my debug log below
Are we talking about Group-Name (which is implemented by the "unix"
module and comes from /etc/group) or Ldap-Group (which is implemented by
the ldap module and comes from ldap lookups)?
Both implement their own == hooks so the same constraints apply, but the
difference is relevant of course!
Below you show an attempt to match both in turn. For Group-Name, the
comparison seems to fail; implying that either the "unix" module isn't
configured/loaded or the username isn't in the group you're matching.
For Ldap-Group; the issue seems to be that when the group comparison is
done, "Ldap-UserDn" is null. I don't see how that is possible in the
source code, but...
You've only posted a subset of the debug output; seriously, please don't
trim it. You want to do something like:
/usr/sbin/radiusd -X | tee log
# make your login/radius request in another window, then
# Ctrl+C
...and send the contents of "log".
If you are trying to match (unix) Group-Name, you will need to ensure
the "unix" module is present and instantiated in the config - either by
ensuring it's present in the "authorize" section, or if you don't want
to run it, putting it in the "instantiate" section of radiusd.conf
If you are trying to match (ldap) Ldap-Group, you will need to ensure
that the LDAP directory is correctly populated.
Either way, we keep getting partial info from you, so it's hard to help.
A full "radiusd -X" debug will allow us to see exactly what the full
module config, load order and processing chain for a request is. Help us
to help you ;o)
Cheers,
Phil
More information about the Freeradius-Users
mailing list