Ldap Huntgroup 'Reject' issue

[Alan DeKok]

On Nov 25, 2020, at 4:45 PM, Kaya Saman via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> By 'l' value I meant the LocalityName attribute in ldap - for reference: http://www-public.imtbs-tsp.eu/~gardie/LDAP/Classes/Attributes-L.html

  Ok... that was not clear at all from your message.

> By doing:
> 
> authorize {
> 
>         update request {
>                 Huntgroup-Name ="%{ldap:ldap:///<ldap path>?l?sub?cn=%{Packet-Src-IP-Address}}"
> 
> 
> The Huntgroup-Name should equal the ?l? portion within the ldap path given before the Auth := Accept/Reject decision is made.

  Except that Huntgroup-Name already has a meaning.  It performance checks in the "huntgroup" file.

> I think this is where I am getting myself confused a little and probably finding it difficult to explain in addition??

  You want to do a lot, so break it down into little pieces.

> In short I want to test the Huntgroup-Name against the ldap LocaliltyName attribute which should match. If they don't then send the Auth := Reject.

  No, you don't want to do that.  You want to check ANOTHER attribute against the LDAP LocaliltyName.

  Please do what I said.  DON'T use Huntgroup-Name.  DO edit raddb/dictionary, and add your own attribute.  Perhaps "My-Huntgroup-Name".

> I'm not sure if there are any examples of this to help me understand better how things work and how they should be implemented?

  I gave fairly clear instructions:

>>   I'd also say to start with a simple example.  Add a local attribute in raddb/dictionary, and use that.  Maybe even move the "users" file checks to "unlang".

  Break the problem down into pieces.  If the "authorize" file seems confusing, use basic "unlang" statements.  The debug output for "unlang" is very long and descriptive.  It will tell you exactly what it's doing, and why.

  In contrast, the debug for the "authorize" file only shows what matches.  It doesn't show why entries *don't* match.

  Alan DeKok.