Re: Users-file and LDAP backend mixing questions

[Куприянов Максим]

19.01.09, 18:13, t...@kalik.net:

> >> >> > 3. Also i need a reject rule for those users, who was authenticated 
> >> >> > by LDAP and do not belong to any ldap-group. I've tried Ldap-Group 
> >> >> > !*, but this attribute always exists for every user :(
> >> Try unlang: if (!control:Ldap-Group) { ...
> >> -
> >
> >It doesn't work. For example, user for sure belongs to some LDAP-group:
> Hm, and you are sure that empty string value check:
> if('%{control:Ldap-Group}' != "") { ...
> isn't working?

Quote from "default" file:
authorize {
..
ldap
if (ok) {
        if("%{control:Ldap-Group}" != "") {
                ok
        }
}
..
}

Quote from "users" file (for group existence testing):
..
DEFAULT Framed-Protocol !* any, Ldap-Group == "telnet"
..

Example 1: User belongs to one group:
$ ldapsearch -x cn=test_user groupMembership | grep radius
groupMembership: cn=telnet,ou=profiles,ou=radius,o=myorg
$ radiusd -X -xx -s
..
Tue Jan 20 10:42:26 2009 : Debug: rlm_ldap: performing search in 
ou=radius,o=myorg, with filter 
(&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg)))))
Tue Jan 20 10:42:27 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group 
telnet
Tue Jan 20 10:42:27 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
..
Tue Jan 20 10:42:27 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "")
Tue Jan 20 10:42:27 2009 : Info:        expand: %{control:Ldap-Group} ->
Tue Jan 20 10:42:27 2009 : Info: ? Evaluating ("%{control:Ldap-Group}" != "") 
-> FALSE
Tue Jan 20 10:42:27 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") -> 
FALSE
..

Example 2: User does not belong to any group:
$ ldapsearch -x cn=test_user groupMembership uid | egrep "(uid|radius)"
# requesting: groupMembership uid
uid: test_user
$ radiusd -X -xx -s
..
Tue Jan 20 10:49:57 2009 : Debug: rlm_ldap: performing search in 
ou=radius,o=myorg, with filter 
(&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg)))))
Tue Jan 20 10:49:57 2009 : Debug: rlm_ldap: object not found or got ambiguous 
search result
..
Tue Jan 20 10:49:57 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "")
Tue Jan 20 10:49:57 2009 : Info:        expand: %{control:Ldap-Group} ->
Tue Jan 20 10:49:57 2009 : Info: ? Evaluating ("%{control:Ldap-Group}" != "") 
-> FALSE
Tue Jan 20 10:49:57 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") -> 
FALSE
..

---
Maxim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html