> OK. Let's backtrack. Something is wrong here.
> Try unlang: if (!control:Ldap-Group) { ...
>
>
> I have done this with Auth-Type before and it works. But you say that
> this is active regardles of user being in ldap group or not. Try this:
>
> ldap
>
> if(!control:Ldap-Group) {
> }
> update control {
> Ldap-Group = "something"
> }
> if(!control:Ldap-Group) {
> }
>
> It looks to me that your ldap module is not populating Ldap-Group.
>
> Ivan Kalik
> Kalik Informatika ISP
>
You're right. This is a test results for user, who for sure belongs to some
groups:
Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group)
Wed Jan 21 11:27:35 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE
Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE
Wed Jan 21 11:27:35 2009 : Info: ++++- entering if (!control:Ldap-Group) {...}
Wed Jan 21 11:27:35 2009 : Info: +++++- if (!control:Ldap-Group) returns
notfound
Wed Jan 21 11:27:35 2009 : Info: ++++- if (ok) returns notfound
Wed Jan 21 11:27:35 2009 : Info: ++++[control] returns notfound
Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group)
Wed Jan 21 11:27:35 2009 : Info: ? Evaluating !(control:Ldap-Group) -> TRUE
Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) -> FALSE
Wed Jan 21 11:27:35 2009 : Info: +++- if (ok) returns notfound
Another example with such a config:
if(control:Ldap-Group == "telnet") {
}
if(Ldap-Group == "telnet") {
}
if(!Ldap-Group) {
}
if(!control:Ldap-Group) {
}
Wed Jan 21 11:44:18 2009 : Info: ++++? if (control:Ldap-Group == "telnet")
Wed Jan 21 11:44:18 2009 : Info: (Attribute control:Ldap-Group was not
found)
Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet")
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: Entering ldap_groupcmp()
Wed Jan 21 11:44:18 2009 : Info: expand: o=myorg -> o=myorg
Wed Jan 21 11:44:18 2009 : Info: expand:
(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))))
->
(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))))
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: performing search in o=myorg, with
filter
(&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2co\3dmyorg)))))
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group
telnet
Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
Wed Jan 21 11:44:18 2009 : Info: ? Evaluating (Ldap-Group == "telnet") -> TRUE
Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet") -> TRUE
Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (Ldap-Group == "telnet")
{...}
Wed Jan 21 11:44:18 2009 : Info: +++++- if (Ldap-Group == "telnet") returns
notfound
Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound
Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group)
Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(Ldap-Group) -> FALSE
Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group) -> TRUE
Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!Ldap-Group) {...}
Wed Jan 21 11:44:18 2009 : Info: +++++- if (!Ldap-Group) returns notfound
Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound
Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group)
Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE
Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE
Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!control:Ldap-Group) {...}
Wed Jan 21 11:44:18 2009 : Info: +++++[ok] returns ok
Wed Jan 21 11:44:18 2009 : Info: ++++- if (!control:Ldap-Group) returns ok
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
