FR 3 + Ldap-Group check during the authorization
C.D.
c_dornig at gmx.de
Thu Nov 14 10:59:09 CET 2013
Hi,
We currently try the official freeradius 3.0 version for migration of
the configs from FR2.
In our FR 2.x setup, we use Ldap-Group checks during the authorization
process.
This is configured by unlang and a policy like:
[policy.conf]
checkusers {
if (Ldap-Group == "GROUP1") {
update reply {
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = 100
}
ok
}
elsif (Ldap-Group == "GROUP2") {
update reply {
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = 100
}
ok
}
else {
reject
}
}
The checks are made in the default server:
[sites-available/default]
authorize {
preprocess
ldap
checkusers
mschap
:
}
Each group check works, but produce all the time a log message:
"Invalid operator for item Ldap-Group: reverting to '=='"
In the debug, we got this:
<DEBUG>
:
rlm_ldap (ldap): Released connection (4)
(0) User is not a member of specified group
Invalid operator for item Ldap-Group: reverting to '=='
(0) ? if (Ldap-Group == "GROUP1") -> FALSE
(0) ? elsif (Ldap-Group == "GROUP2")
:
</DEBUG>
When we put the checkusers into the post-auth, the log message with
invalid operator are gone.
What is wrong here ?
Why the message "Invalid operator for item Ldap-Group: reverting to
'=='" pops up in authorize but not in post-auth process ?
With regards,
C.
More information about the Freeradius-Users
mailing list