Hi, i'd like to specify my auth-policies using the rlm_policy module (since i like it's obvious flexibility and the cleanness of it's policy syntax and because i wasn't able to solve some particular problems with rlm_files) but there's one big problem left: until now i've been using the Ldap-Group attribute within my users file (i want to get rid of rlm_files) to check whether the user -- which is to be authorized -- is a member of a particular ldap group. i also need to do this check within my intended 'policy setup' but it turned out that i can't get conditions of the form (e.g.)
if( Ldap-Group==vpn-staff ){ ... } to work. conditions that comprise this attribute in any way always evaluate to false while others like e.g. Called-Station-Id, NAS-Identifier, NAS-Port and any combination thereof work as expected. might this have something to do with the fact that Ldap-Group is not a 'real' attribute? rlm_ldap is active by the way. it says 'rlm_ldap: Registering ldap_groupcmp for Ldap-Group' when the daemon starts up and obviously it doesn't matter whether 'policy' is before or after 'ldap' in the authorize sections of 'sites-available/default'/'sites-available/inner-tunnel' in this respect. by browsing the code of rlm_policy a bit i figured that 'find_vp' returns 0 if it gets passed 'Ldap-Group' (i might be wrong). it's called approximately around line 589 (by 'vp = find_vp(state->request, this->lhs);') of 'rlm_policy/evaluate.c'. what can i do to get the 'Ldap-Group'-stuff working? could anyone (otherwise) tell me how to fit the 'paircompare(...)' (as is used in rlm_files) function in the rlm_policy context or provide a patch which does? thanks in advance best regards thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html