using Ldap-Group attribute checks in policy.txt

Thomas Wunder thomas.wunder at
Mon Mar 7 17:25:32 CET 2011

i'd like to specify my auth-policies using the rlm_policy module (since i like it's obvious flexibility and the cleanness of it's policy syntax and because i wasn't able to solve some particular problems with rlm_files) but there's one big problem left:
until now i've been using the Ldap-Group attribute within my users file (i want to get rid of rlm_files) to check whether the user -- which is to be authorized -- is a member of a particular ldap group. i also need to do this check within my intended 'policy setup' but it turned out that i can't get conditions of the form (e.g.) 

if( Ldap-Group==vpn-staff ){

to work. conditions that comprise this attribute in any way always evaluate to false while others like e.g. Called-Station-Id, NAS-Identifier, NAS-Port and any combination thereof work as expected.
might this have something to do with the fact that Ldap-Group is not a 'real' attribute? rlm_ldap is active by the way. it says 'rlm_ldap: Registering ldap_groupcmp for Ldap-Group' when the daemon starts up and obviously it doesn't matter whether 'policy' is before or after 'ldap' in the authorize sections of 'sites-available/default'/'sites-available/inner-tunnel' in this respect. 

by browsing the code of rlm_policy a bit i figured that 'find_vp' returns 0 if it gets passed 'Ldap-Group' (i might be wrong). it's called approximately around line 589 (by 'vp = find_vp(state->request, this->lhs);') of 'rlm_policy/evaluate.c'.

what can i do to get the 'Ldap-Group'-stuff working? could anyone (otherwise) tell me how to fit the 'paircompare(...)' (as is used in rlm_files) function in the rlm_policy context or provide a patch which does?

thanks in advance
best regards

More information about the Freeradius-Users mailing list