> OK. Let's backtrack. Something is wrong here. > Try unlang: if (!control:Ldap-Group) { ... > > > I have done this with Auth-Type before and it works. But you say that > this is active regardles of user being in ldap group or not. Try this: > > ldap > > if(!control:Ldap-Group) { > } > update control { > Ldap-Group = "something" > } > if(!control:Ldap-Group) { > } > > It looks to me that your ldap module is not populating Ldap-Group. > > Ivan Kalik > Kalik Informatika ISP >
You're right. This is a test results for user, who for sure belongs to some groups: Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) Wed Jan 21 11:27:35 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE Wed Jan 21 11:27:35 2009 : Info: ++++- entering if (!control:Ldap-Group) {...} Wed Jan 21 11:27:35 2009 : Info: +++++- if (!control:Ldap-Group) returns notfound Wed Jan 21 11:27:35 2009 : Info: ++++- if (ok) returns notfound Wed Jan 21 11:27:35 2009 : Info: ++++[control] returns notfound Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) Wed Jan 21 11:27:35 2009 : Info: ? Evaluating !(control:Ldap-Group) -> TRUE Wed Jan 21 11:27:35 2009 : Info: ++++? if (!control:Ldap-Group) -> FALSE Wed Jan 21 11:27:35 2009 : Info: +++- if (ok) returns notfound Another example with such a config: if(control:Ldap-Group == "telnet") { } if(Ldap-Group == "telnet") { } if(!Ldap-Group) { } if(!control:Ldap-Group) { } Wed Jan 21 11:44:18 2009 : Info: ++++? if (control:Ldap-Group == "telnet") Wed Jan 21 11:44:18 2009 : Info: (Attribute control:Ldap-Group was not found) Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet") Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: Entering ldap_groupcmp() Wed Jan 21 11:44:18 2009 : Info: expand: o=myorg -> o=myorg Wed Jan 21 11:44:18 2009 : Info: expand: (&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))) -> (&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2co\3dmyorg)))) Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_get_conn: Checking Id: 0 Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_get_conn: Got Id: 0 Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: performing search in o=myorg, with filter (&(cn=telnet)(&(objectclass=radiusprofile)(|(&(objectClass=groupOfNames)(member=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dtest_user\2cou\3dusers\2co\3dmyorg))))) Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap::ldap_groupcmp: User found in group telnet Wed Jan 21 11:44:18 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0 Wed Jan 21 11:44:18 2009 : Info: ? Evaluating (Ldap-Group == "telnet") -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++? if (Ldap-Group == "telnet") -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (Ldap-Group == "telnet") {...} Wed Jan 21 11:44:18 2009 : Info: +++++- if (Ldap-Group == "telnet") returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group) Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(Ldap-Group) -> FALSE Wed Jan 21 11:44:18 2009 : Info: ++++? if (!Ldap-Group) -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!Ldap-Group) {...} Wed Jan 21 11:44:18 2009 : Info: +++++- if (!Ldap-Group) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++- if (ok) returns notfound Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group) Wed Jan 21 11:44:18 2009 : Info: ? Evaluating !(control:Ldap-Group) -> FALSE Wed Jan 21 11:44:18 2009 : Info: ++++? if (!control:Ldap-Group) -> TRUE Wed Jan 21 11:44:18 2009 : Info: ++++- entering if (!control:Ldap-Group) {...} Wed Jan 21 11:44:18 2009 : Info: +++++[ok] returns ok Wed Jan 21 11:44:18 2009 : Info: ++++- if (!control:Ldap-Group) returns ok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html