Operator "!=" not allowed for LDAP group comparisons
Rodrigo Antunes
rodrigoaantunes at yahoo.com.br
Mon Feb 17 20:10:48 UTC 2025
What is unlink, a file or module? I don't have this in my installation (FreeRADIUS Version 3.2.1)
if (!(LDAP-Group == "foo")
Where exactly I put this: in sites-enabled/default?
I think I could invert the logic to keep using the users file right?
Something like this:
DEFAULT NAS-Identifier == "openVPN", LDAP-Group == "01-PL-Allow-VPN", Auth-Type := Accept
An then set the auth-type to reject for everyone else:
DEFAULT Auth-Type := Reject
Thanks
Em segunda-feira, 17 de fevereiro de 2025 às 15:42:54 BRT, Alan DeKok <aland at deployingradius.com> escreveu:
On Feb 17, 2025, at 1:32 PM, Rodrigo Antunes via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> Hi, how can I reject an ldap user if it is not member of a group by using the users file?
Use a policy in unlink.
> But in the logs I see this:
>
> ERROR: files: Operator "!=" not allowed for LDAP group comparisons
Exactly.
In a policy, you can do:
if (!(LDAP-Group == "foo") ...
This is a limitation of the way the LDAP-Group attribute is implemented, and how the "users" file works.
Alan DeKok.
More information about the Freeradius-Users
mailing list