19.01.09, 16:52, t...@kalik.net: > >> > 3. Also i need a reject rule for those users, who was authenticated by > >> > LDAP and do not belong to any ldap-group. I've tried Ldap-Group !*, but > >> > this attribute always exists for every user :( > Try unlang: if (!control:Ldap-Group) { ... > Ivan Kalik > Kalik Informatika ISP > -
It doesn't work. For example, user for sure belongs to some LDAP-group: Mon Jan 19 19:16:42 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dmax\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dmax\2cou\3dradius\2co\3dmyorg))))) Mon Jan 19 19:16:42 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet Here is a part of my test configuration from authorize section: if (!Ldap-Group) { ok } if (!control:Ldap-Group) { ok } if (!request:Ldap-Group) { ok } if (!reply:Ldap-Group) { ok } if (!config:Ldap-Group) { ok } Here're results from -X: Mon Jan 19 19:16:42 2009 : Info: ++++? if (!Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: ++++? if (!control:Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!control:Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!control:Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: ++++? if (!request:Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(request:Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!request:Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!request:Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!request:Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: ++++? if (!reply:Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(reply:Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!reply:Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!reply:Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!reply:Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: ++++? if (!config:Ldap-Group) Mon Jan 19 19:16:42 2009 : Info: ? Evaluating !(config:Ldap-Group) -> FALSE Mon Jan 19 19:16:42 2009 : Info: ++++? if (!config:Ldap-Group) -> TRUE Mon Jan 19 19:16:42 2009 : Info: ++++- entering if (!config:Ldap-Group) {...} Mon Jan 19 19:16:42 2009 : Info: +++++[ok] returns ok Mon Jan 19 19:16:42 2009 : Info: ++++- if (!config:Ldap-Group) returns ok Mon Jan 19 19:16:42 2009 : Info: +++- if (ok) returns ok I've also tried Ldap-Group != "*", which always should return something for that user. But LDAP backend can only deal with one-record-only results :( --- Maxim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html