Hi,
i'd like to specify my auth-policies using the rlm_policy module (since i like
it's obvious flexibility and the cleanness of it's policy syntax and because i
wasn't able to solve some particular problems with rlm_files) but there's one
big problem left:
until now i've been using the Ldap-Group attribute within my users file (i want
to get rid of rlm_files) to check whether the user -- which is to be authorized
-- is a member of a particular ldap group. i also need to do this check within
my intended 'policy setup' but it turned out that i can't get conditions of the
form (e.g.)
if( Ldap-Group==vpn-staff ){
...
}
to work. conditions that comprise this attribute in any way always evaluate to
false while others like e.g. Called-Station-Id, NAS-Identifier, NAS-Port and
any combination thereof work as expected.
might this have something to do with the fact that Ldap-Group is not a 'real'
attribute? rlm_ldap is active by the way. it says 'rlm_ldap: Registering
ldap_groupcmp for Ldap-Group' when the daemon starts up and obviously it
doesn't matter whether 'policy' is before or after 'ldap' in the authorize
sections of 'sites-available/default'/'sites-available/inner-tunnel' in this
respect.
by browsing the code of rlm_policy a bit i figured that 'find_vp' returns 0 if
it gets passed 'Ldap-Group' (i might be wrong). it's called approximately
around line 589 (by 'vp = find_vp(state->request, this->lhs);') of
'rlm_policy/evaluate.c'.
what can i do to get the 'Ldap-Group'-stuff working? could anyone (otherwise)
tell me how to fit the 'paircompare(...)' (as is used in rlm_files) function in
the rlm_policy context or provide a patch which does?
thanks in advance
best regards
thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
