unlang post-auth group-name

Phil Mayers p.mayers at imperial.ac.uk
Mon Sep 27 09:53:27 CEST 2010

On 09/27/2010 01:09 AM, Cameron Wood wrote:
>     Are we talking about Group-Name (which is implemented by the "unix"
>     module and comes from /etc/group) or Ldap-Group (which is
>     implemented by the ldap module and comes from ldap lookups)?
>     Both implement their own == hooks so the same constraints apply, but
>     the difference is relevant of course!
> I honestly don't know which one I should be using; the information is in
> LDAP, the local system is configured for LDAP and issuing the groups
> command returns the local and LDAP groups the user is assigned to. Would
> this suggest that I could just use Group-Name, making use of the unix
> module?

If you can query LDAP directly, do so. Do not use rlm_unix for LDAP 
queries, even if nssswitch is setup for it.

>     Below you show an attempt to match both in turn. For Group-Name, the
>     comparison seems to fail; implying that either the "unix" module
>     isn't configured/loaded or the username isn't in the group you're
>     matching.
> I read through the debug log to check that the unix module is getting
> loaded, which it appears to be, I'm not aware of any configuration that
> needs to be provided for that module, is there any? As for the user

No. As long as the module is being instantiated (which it is) then 
Group-Name should work.

> being in the group that is definitely the case, I have verified this
> locally on the system, and the Group-Name comparison in Users succeeds
> for this case.

Really? Hmm.

>     If you are trying to match (ldap) Ldap-Group, you will need to
>     ensure that the LDAP directory is correctly populated.
> This I am looking into, to my knowledge it is correctly setup as there
> are lots of other systems around our organisation that are referencing
> this successfully, but I wonder if the LDAP module is configured
> correctly, maybe there is a problem with the search string/query?

I think there might be actually; you have:

groupmembership_filter = "...(member=%{Ldap-UserDn}..."

...but the default/sample configs that come with the server have:

groupmembership_filter = "...(member=%{control:Ldap-UserDn}..."

That "control:" is important. Which version of the server are you using 
and where did you get the configs from? If you replace "Ldap-UserDn" 
with "control:Ldap-UserDn" (it appears twice in the group filter) does 
it work?

More information about the Freeradius-Users mailing list