Thanks for explaining that Phil, appreciate it. I had come to the conclusion that I couldn't enclose these references because it was trying to expand them and thus expecting them to have a single value. Similarly I couldn't assign from them because of this same reason. But still I was missing the point that you made, that these references implement their own == routine to accomplish these comparisons. I hadn't dealt with Operator Overloading before either so that helped put that in perspective when I looked that up.
I'm still completely stumped though why I can't get any joy from my comparisons using the following IF statement if (Group-Name == 'net_su') { update control { Tmp-String-2 := 'net_su' } } The Group-Name checks I have in my Users file return as expected, but I couldn't see any reason why they aren't working here from the output of my debug log below [ldap] performing user authorization for cameron [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> cameron [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=cameron) [ldap] expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 0 rlm_ldap: bind as / to kenrose.ac3.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (uid=cameron) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user cameron authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop ++? if (Ldap-Group == 'net_su') rlm_ldap: Entering ldap_groupcmp() expand: dc=ac3,dc=com,dc=au -> dc=ac3,dc=com,dc=au expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter (&(cn=net_su)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group net_su not found or user is not a member. ? Evaluating (Ldap-Group == 'net_su') -> FALSE ++? if (Ldap-Group == 'net_su') -> FALSE ++? if (Group-Name == 'net_su') ? Evaluating (Group-Name == 'net_su') -> FALSE ++? if (Group-Name == 'net_su') -> FALSE Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "cameron" with password "password123 [ldap] user DN: uid=cameron,ou=People,dc=ac3,dc=com,dc=au rlm_ldap: (re)connect to kenrose.ac3.com.au:389, authentication 1 rlm_ldap: bind as uid=cameron,ou=People,dc=ac3,dc=com,dc=au/password123 to kenrose.ac3.com.au:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful [ldap] user cameron authenticated succesfully ++[ldap] returns ok The only thing I could think of is that the LDAP settings aren't correct and hence not finding my group memberships, but if this is the case how does Group-Name when used in the Users file find my assigned groups and successfully compares them? Regards Cam. -- On Sun, Sep 26, 2010 at 19:01, Phil Mayers <p.may...@imperial.ac.uk> wrote: > On 09/26/2010 03:08 AM, Cameron Wood wrote: > >> Thank you Alan B & Alan D for your comments, and I'll make sure to >> include the full, complete debug output log in future. >> >> I don't think the logic of my example has changed since my earlier post, >> but I admittedly have tried encasing it in %{...} and adding a list to >> it as well to try and get it to compare against the right data. >> > > That *is* a logic change. > > To be clear: The Group-Name attribute, along with similar attributes > (SQL-Group, LDAP-Group) does not have a "value". You cannot have it on the > right hand side of an operator. > > The only valid location for these attributes is on the left hand side of an > == operator, because internally they "hook" tne == operator, and do this: > > for group in all_groups: > if group == right-hand-side > return True > return False > > So, this is valid in an "unlang" block: > > if (Group-Name == ANYVALUE) > > ...but ANYTHING alse you might try is not. In particular, none of the > following will work: > > if ("%{Group-Name]" ...) > > update control { > An-Attribute = "%{Group-Name}" > } > if (An-Attribute) > > ...and so on. > > > > Is the comparison in the right location, in the Authorize section, and >> if so am I trying to compare against the wrong attribute, hence it >> getting expanded and not returning anything? >> >> Alan D could you shed some light on how the Group-Name attribute in >> Users is populated/gets compared when doing checks there? >> > > It does not get "populated". The attribute implements its own == handler, > which operates as above. > > > >> I suspect from your comment that the field I am trying to check against >> since you say it can contain many values "because the user may be a >> member of many, many, groups" could be a long string with separators or >> an array of values, would this be right? In which case do I need to use >> a regex method or access a specific value within an array? >> > > No. See above. It does NOT have a "value". > > Do you know any programming languages? If so, think "operator overloading". > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html