If he is using LDAP then my prior post about the howto would work for him:
https://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
On Mon, Sep 27, 2010 at 6:48 AM, Phil Mayers <p.may...@imperial.ac.uk>wrote:
> On 09/26/2010 11:47 AM, Cameron Wood wrote:
>
>>
>> I'm still completely stumped though why I can't get any joy from my
>> comparisons using the following IF statement
>>
>> if (Group-Name == 'net_su') {
>> update control {
>> Tmp-String-2 := 'net_su'
>> }
>> }
>>
>>
>> The Group-Name checks I have in my Users file return as expected, but I
>> couldn't see any reason why they aren't working here from the output of
>> my debug log below
>>
>
> Are we talking about Group-Name (which is implemented by the "unix" module
> and comes from /etc/group) or Ldap-Group (which is implemented by the ldap
> module and comes from ldap lookups)?
>
> Both implement their own == hooks so the same constraints apply, but the
> difference is relevant of course!
>
> Below you show an attempt to match both in turn. For Group-Name, the
> comparison seems to fail; implying that either the "unix" module isn't
> configured/loaded or the username isn't in the group you're matching.
>
> For Ldap-Group; the issue seems to be that when the group comparison is
> done, "Ldap-UserDn" is null. I don't see how that is possible in the source
> code, but...
>
> You've only posted a subset of the debug output; seriously, please don't
> trim it. You want to do something like:
>
> /usr/sbin/radiusd -X | tee log
> # make your login/radius request in another window, then
> # Ctrl+C
>
> ...and send the contents of "log".
>
> If you are trying to match (unix) Group-Name, you will need to ensure the
> "unix" module is present and instantiated in the config - either by ensuring
> it's present in the "authorize" section, or if you don't want to run it,
> putting it in the "instantiate" section of radiusd.conf
>
> If you are trying to match (ldap) Ldap-Group, you will need to ensure that
> the LDAP directory is correctly populated.
>
> Either way, we keep getting partial info from you, so it's hard to help. A
> full "radiusd -X" debug will allow us to see exactly what the full module
> config, load order and processing chain for a request is. Help us to help
> you ;o)
>
> Cheers,
> Phil
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
