Re: unlang post-auth group-name

Sat, 02 Oct 2010 05:30:24 -0700 

>
> note the "rlm_ldap: ldap_search() failed: Bad search filter" line
>

Thanks for pointing that out for me Alan, I missed that in the debug log.


Two main reasons: firstly, doing the LDAP lookups indirectly via rlm_unix is
> difficult to debug (as we are finding)
>
> Secondly, doing the LDAP lookups directly gives you a more rich interface
> to the underlying LDAP data. Doing it via rlm_unix limits you to schema
> elements present in the posix LDAP schema and get*ent calls
>

Those both make perfect sense, thanks for explaining that Phil.


I finally got this working with the following groupmembership_filter...

"(&(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>


Thanks again to those who helped me with this, it's appreciated.


Regards
Cameron.
--







On Mon, Sep 27, 2010 at 22:44, Phil Mayers <p.may...@imperial.ac.uk> wrote:

> On 27/09/10 11:44, Cameron Wood wrote:
>
>     groupname_attribute = cn
>>    groupmembership_filter =
>>
>>  
>> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))"
>>    groupmembership_attribute = radiusGroupName
>>
>>
>> Attached is a debug log of my logon attempts with these settings, which
>> still fails unfortunately.
>>
>
> The filter is invalid. You're missing a trailing ")" which is easily done
> in the stupid LDAP filter syntax.
>
>
>
>>
>>    If you can query LDAP directly, do so. Do not use rlm_unix for LDAP
>>    queries, even if nssswitch is setup for it.
>>
>>
>> Noted, are you able to elaborate on why this is the case though, just
>> like to understand, only if its not too much trouble though.
>>
>
> Two main reasons: firstly, doing the LDAP lookups indirectly via rlm_unix
> is difficult to debug (as we are finding).
>
> Secondly, doing the LDAP lookups directly gives you a more rich interface
> to the underlying LDAP data. Doing it via rlm_unix limits you to schema
> elements present in the posix LDAP schema and get*ent calls.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to