unlang post-auth group-name

Cameron Wood cameron.e.wood at gmail.com
Mon Sep 27 02:28:21 CEST 2010 

Thanks for the link Peter, I'm talking over the possibility of this with the
people who run LDAP at my organisation.


Regards
Cam.
--







On Mon, Sep 27, 2010 at 04:30, Peter Lambrechtsen
<plambrechtsen at gmail.com>wrote:

> If he is using LDAP then my prior post about the howto would work for him:
>
>
> https://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
>
>
>
>
> On Mon, Sep 27, 2010 at 6:48 AM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
>
>> On 09/26/2010 11:47 AM, Cameron Wood wrote:
>>
>>>
>>> I'm still completely stumped though why I can't get any joy from my
>>> comparisons using the following IF statement
>>>
>>>         if (Group-Name == 'net_su') {
>>>                 update control {
>>>                         Tmp-String-2 := 'net_su'
>>>                 }
>>>         }
>>>
>>>
>>> The Group-Name checks I have in my Users file return as expected, but I
>>> couldn't see any reason why they aren't working here from the output of
>>> my debug log below
>>>
>>
>> Are we talking about Group-Name (which is implemented by the "unix" module
>> and comes from /etc/group) or Ldap-Group (which is implemented by the ldap
>> module and comes from ldap lookups)?
>>
>> Both implement their own == hooks so the same constraints apply, but the
>> difference is relevant of course!
>>
>> Below you show an attempt to match both in turn. For Group-Name, the
>> comparison seems to fail; implying that either the "unix" module isn't
>> configured/loaded or the username isn't in the group you're matching.
>>
>> For Ldap-Group; the issue seems to be that when the group comparison is
>> done, "Ldap-UserDn" is null. I don't see how that is possible in the source
>> code, but...
>>
>> You've only posted a subset of the debug output; seriously, please don't
>> trim it. You want to do something like:
>>
>> /usr/sbin/radiusd -X | tee log
>> # make your login/radius request in another window, then
>> # Ctrl+C
>>
>> ...and send the contents of "log".
>>
>> If you are trying to match (unix) Group-Name, you will need to ensure the
>> "unix" module is present and instantiated in the config - either by ensuring
>> it's present in the "authorize" section, or if you don't want to run it,
>> putting it in the "instantiate" section of radiusd.conf
>>
>> If you are trying to match (ldap) Ldap-Group, you will need to ensure that
>> the LDAP directory is correctly populated.
>>
>> Either way, we keep getting partial info from you, so it's hard to help. A
>> full "radiusd -X" debug will allow us to see exactly what the full module
>> config, load order and processing chain for a request is. Help us to help
>> you ;o)
>>
>> Cheers,
>> Phil
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100927/1247c985/attachment.html>

More information about the Freeradius-Users mailing list