On 09/26/2010 03:08 AM, Cameron Wood wrote:
Thank you Alan B & Alan D for your comments, and I'll make sure to
include the full, complete debug output log in future.
I don't think the logic of my example has changed since my earlier post,
but I admittedly have tried encasing it in %{...} and adding a list to
it as well to try and get it to compare against the right data.
That *is* a logic change.
To be clear: The Group-Name attribute, along with similar attributes
(SQL-Group, LDAP-Group) does not have a "value". You cannot have it on
the right hand side of an operator.
The only valid location for these attributes is on the left hand side of
an == operator, because internally they "hook" tne == operator, and do this:
for group in all_groups:
if group == right-hand-side
return True
return False
So, this is valid in an "unlang" block:
if (Group-Name == ANYVALUE)
...but ANYTHING alse you might try is not. In particular, none of the
following will work:
if ("%{Group-Name]" ...)
update control {
An-Attribute = "%{Group-Name}"
}
if (An-Attribute)
...and so on.
Is the comparison in the right location, in the Authorize section, and
if so am I trying to compare against the wrong attribute, hence it
getting expanded and not returning anything?
Alan D could you shed some light on how the Group-Name attribute in
Users is populated/gets compared when doing checks there?
It does not get "populated". The attribute implements its own ==
handler, which operates as above.
I suspect from your comment that the field I am trying to check against
since you say it can contain many values "because the user may be a
member of many, many, groups" could be a long string with separators or
an array of values, would this be right? In which case do I need to use
a regex method or access a specific value within an array?
No. See above. It does NOT have a "value".
Do you know any programming languages? If so, think "operator overloading".
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
