On 09/26/2010 11:47 AM, Cameron Wood wrote:
I'm still completely stumped though why I can't get any joy from my
comparisons using the following IF statement
if (Group-Name == 'net_su') {
update control {
Tmp-String-2 := 'net_su'
}
}
The Group-Name checks I have in my Users file return as expected, but I
couldn't see any reason why they aren't working here from the output of
my debug log below
Are we talking about Group-Name (which is implemented by the "unix"
module and comes from /etc/group) or Ldap-Group (which is implemented by
the ldap module and comes from ldap lookups)?
Both implement their own == hooks so the same constraints apply, but the
difference is relevant of course!
Below you show an attempt to match both in turn. For Group-Name, the
comparison seems to fail; implying that either the "unix" module isn't
configured/loaded or the username isn't in the group you're matching.
For Ldap-Group; the issue seems to be that when the group comparison is
done, "Ldap-UserDn" is null. I don't see how that is possible in the
source code, but...
You've only posted a subset of the debug output; seriously, please don't
trim it. You want to do something like:
/usr/sbin/radiusd -X | tee log
# make your login/radius request in another window, then
# Ctrl+C
...and send the contents of "log".
If you are trying to match (unix) Group-Name, you will need to ensure
the "unix" module is present and instantiated in the config - either by
ensuring it's present in the "authorize" section, or if you don't want
to run it, putting it in the "instantiate" section of radiusd.conf
If you are trying to match (ldap) Ldap-Group, you will need to ensure
that the LDAP directory is correctly populated.
Either way, we keep getting partial info from you, so it's hard to help.
A full "radiusd -X" debug will allow us to see exactly what the full
module config, load order and processing chain for a request is. Help us
to help you ;o)
Cheers,
Phil
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
