Thanks for the link Peter, I'm talking over the possibility of this with the people who run LDAP at my organisation.
Regards Cam. -- On Mon, Sep 27, 2010 at 04:30, Peter Lambrechtsen <plambrecht...@gmail.com>wrote: > If he is using LDAP then my prior post about the howto would work for him: > > > https://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html > > > > > On Mon, Sep 27, 2010 at 6:48 AM, Phil Mayers <p.may...@imperial.ac.uk>wrote: > >> On 09/26/2010 11:47 AM, Cameron Wood wrote: >> >>> >>> I'm still completely stumped though why I can't get any joy from my >>> comparisons using the following IF statement >>> >>> if (Group-Name == 'net_su') { >>> update control { >>> Tmp-String-2 := 'net_su' >>> } >>> } >>> >>> >>> The Group-Name checks I have in my Users file return as expected, but I >>> couldn't see any reason why they aren't working here from the output of >>> my debug log below >>> >> >> Are we talking about Group-Name (which is implemented by the "unix" module >> and comes from /etc/group) or Ldap-Group (which is implemented by the ldap >> module and comes from ldap lookups)? >> >> Both implement their own == hooks so the same constraints apply, but the >> difference is relevant of course! >> >> Below you show an attempt to match both in turn. For Group-Name, the >> comparison seems to fail; implying that either the "unix" module isn't >> configured/loaded or the username isn't in the group you're matching. >> >> For Ldap-Group; the issue seems to be that when the group comparison is >> done, "Ldap-UserDn" is null. I don't see how that is possible in the source >> code, but... >> >> You've only posted a subset of the debug output; seriously, please don't >> trim it. You want to do something like: >> >> /usr/sbin/radiusd -X | tee log >> # make your login/radius request in another window, then >> # Ctrl+C >> >> ...and send the contents of "log". >> >> If you are trying to match (unix) Group-Name, you will need to ensure the >> "unix" module is present and instantiated in the config - either by ensuring >> it's present in the "authorize" section, or if you don't want to run it, >> putting it in the "instantiate" section of radiusd.conf >> >> If you are trying to match (ldap) Ldap-Group, you will need to ensure that >> the LDAP directory is correctly populated. >> >> Either way, we keep getting partial info from you, so it's hard to help. A >> full "radiusd -X" debug will allow us to see exactly what the full module >> config, load order and processing chain for a request is. Help us to help >> you ;o) >> >> Cheers, >> Phil >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html