Re: unlang post-auth group-name

Mon, 27 Sep 2010 01:09:53 -0700 

On 09/27/2010 01:09 AM, Cameron Wood wrote:


    Are we talking about Group-Name (which is implemented by the "unix"
    module and comes from /etc/group) or Ldap-Group (which is
    implemented by the ldap module and comes from ldap lookups)?
    Both implement their own == hooks so the same constraints apply, but
    the difference is relevant of course!


I honestly don't know which one I should be using; the information is in
LDAP, the local system is configured for LDAP and issuing the groups
command returns the local and LDAP groups the user is assigned to. Would
this suggest that I could just use Group-Name, making use of the unix
module?



If you can query LDAP directly, do so. Do not use rlm_unix for LDAP 
queries, even if nssswitch is setup for it.





    Below you show an attempt to match both in turn. For Group-Name, the
    comparison seems to fail; implying that either the "unix" module
    isn't configured/loaded or the username isn't in the group you're
    matching.


I read through the debug log to check that the unix module is getting
loaded, which it appears to be, I'm not aware of any configuration that
needs to be provided for that module, is there any? As for the user



No. As long as the module is being instantiated (which it is) then 
Group-Name should work.



being in the group that is definitely the case, I have verified this
locally on the system, and the Group-Name comparison in Users succeeds
for this case.


Really? Hmm.




    If you are trying to match (ldap) Ldap-Group, you will need to
    ensure that the LDAP directory is correctly populated.


This I am looking into, to my knowledge it is correctly setup as there
are lots of other systems around our organisation that are referencing
this successfully, but I wonder if the LDAP module is configured
correctly, maybe there is a problem with the search string/query?


I think there might be actually; you have:

groupmembership_filter = "...(member=%{Ldap-UserDn}..."

...but the default/sample configs that come with the server have:

groupmembership_filter = "...(member=%{control:Ldap-UserDn}..."



That "control:" is important. Which version of the server are you using 
and where did you get the configs from? If you replace "Ldap-UserDn" 
with "control:Ldap-UserDn" (it appears twice in the group filter) does 
it work?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





























					Reply via email to