19.01.09, 18:13, t...@kalik.net: > >> >> > 3. Also i need a reject rule for those users, who was authenticated > >> >> > by LDAP and do not belong to any ldap-group. I've tried Ldap-Group > >> >> > !*, but this attribute always exists for every user :( > >> Try unlang: if (!control:Ldap-Group) { ... > >> - > > > >It doesn't work. For example, user for sure belongs to some LDAP-group: > Hm, and you are sure that empty string value check: > if('%{control:Ldap-Group}' != "") { ... > isn't working?
Quote from "default" file: authorize { .. ldap if (ok) { if("%{control:Ldap-Group}" != "") { ok } } .. } Quote from "users" file (for group existence testing): .. DEFAULT Framed-Protocol !* any, Ldap-Group == "telnet" .. Example 1: User belongs to one group: $ ldapsearch -x cn=test_user groupMembership | grep radius groupMembership: cn=telnet,ou=profiles,ou=radius,o=myorg $ radiusd -X -xx -s .. Tue Jan 20 10:42:26 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))))) Tue Jan 20 10:42:27 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet Tue Jan 20 10:42:27 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 .. Tue Jan 20 10:42:27 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") Tue Jan 20 10:42:27 2009 : Info: expand: %{control:Ldap-Group} -> Tue Jan 20 10:42:27 2009 : Info: ? Evaluating ("%{control:Ldap-Group}" != "") -> FALSE Tue Jan 20 10:42:27 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") -> FALSE .. Example 2: User does not belong to any group: $ ldapsearch -x cn=test_user groupMembership uid | egrep "(uid|radius)" # requesting: groupMembership uid uid: test_user $ radiusd -X -xx -s .. Tue Jan 20 10:49:57 2009 : Debug: rlm_ldap: performing search in ou=radius,o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2cou\3dradius\2co\3dmyorg))))) Tue Jan 20 10:49:57 2009 : Debug: rlm_ldap: object not found or got ambiguous search result .. Tue Jan 20 10:49:57 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") Tue Jan 20 10:49:57 2009 : Info: expand: %{control:Ldap-Group} -> Tue Jan 20 10:49:57 2009 : Info: ? Evaluating ("%{control:Ldap-Group}" != "") -> FALSE Tue Jan 20 10:49:57 2009 : Info: ++++? if ("%{control:Ldap-Group}" != "") -> FALSE .. --- Maxim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html