unlang post-auth group-name

Peter Lambrechtsen plambrechtsen at gmail.com
Sun Sep 26 20:30:26 CEST 2010

If he is using LDAP then my prior post about the howto would work for him:


On Mon, Sep 27, 2010 at 6:48 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> On 09/26/2010 11:47 AM, Cameron Wood wrote:
>> I'm still completely stumped though why I can't get any joy from my
>> comparisons using the following IF statement
>>         if (Group-Name == 'net_su') {
>>                 update control {
>>                         Tmp-String-2 := 'net_su'
>>                 }
>>         }
>> The Group-Name checks I have in my Users file return as expected, but I
>> couldn't see any reason why they aren't working here from the output of
>> my debug log below
> Are we talking about Group-Name (which is implemented by the "unix" module
> and comes from /etc/group) or Ldap-Group (which is implemented by the ldap
> module and comes from ldap lookups)?
> Both implement their own == hooks so the same constraints apply, but the
> difference is relevant of course!
> Below you show an attempt to match both in turn. For Group-Name, the
> comparison seems to fail; implying that either the "unix" module isn't
> configured/loaded or the username isn't in the group you're matching.
> For Ldap-Group; the issue seems to be that when the group comparison is
> done, "Ldap-UserDn" is null. I don't see how that is possible in the source
> code, but...
> You've only posted a subset of the debug output; seriously, please don't
> trim it. You want to do something like:
> /usr/sbin/radiusd -X | tee log
> # make your login/radius request in another window, then
> # Ctrl+C
> ...and send the contents of "log".
> If you are trying to match (unix) Group-Name, you will need to ensure the
> "unix" module is present and instantiated in the config - either by ensuring
> it's present in the "authorize" section, or if you don't want to run it,
> putting it in the "instantiate" section of radiusd.conf
> If you are trying to match (ldap) Ldap-Group, you will need to ensure that
> the LDAP directory is correctly populated.
> Either way, we keep getting partial info from you, so it's hard to help. A
> full "radiusd -X" debug will allow us to see exactly what the full module
> config, load order and processing chain for a request is. Help us to help
> you ;o)
> Cheers,
> Phil
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100927/d1bcfb2f/attachment.html>

More information about the Freeradius-Users mailing list