note the rlm_ldap: ldap_search() failed: Bad search filter line
Thanks for pointing that out for me Alan, I missed that in the debug log.
Two main reasons: firstly, doing the LDAP lookups indirectly via rlm_unix is
difficult to debug (as we are finding)
Secondly, doing the LDAP lookups
On 09/27/2010 01:09 AM, Cameron Wood wrote:
Are we talking about Group-Name (which is implemented by the unix
module and comes from /etc/group) or Ldap-Group (which is
implemented by the ldap module and comes from ldap lookups)?
Both implement their own == hooks so the same
I think there might be actually; you have:
groupmembership_filter = ...(member=%{Ldap-UserDn}...
...but the default/sample configs that come with the server have:
groupmembership_filter = ...(member=%{control:Ldap-UserDn}...
That control: is important. Which version of the server are you
Hi,
rlm_ldap: Entering ldap_groupcmp()
expand: dc=ac3,dc=com,dc=au - dc=ac3,dc=com,dc=au
expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))
-
On 27/09/10 11:44, Cameron Wood wrote:
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))
groupmembership_attribute = radiusGroupName
Attached is a debug
Cameron Wood wrote:
Is the comparison in the right location, in the Authorize section, and
if so am I trying to compare against the wrong attribute, hence it
getting expanded and not returning anything?
The previous explanations already answered this.
Alan D could you shed some light on
On 09/26/2010 03:08 AM, Cameron Wood wrote:
Thank you Alan B Alan D for your comments, and I'll make sure to
include the full, complete debug output log in future.
I don't think the logic of my example has changed since my earlier post,
but I admittedly have tried encasing it in %{...} and
Thanks for explaining that Phil, appreciate it.
I had come to the conclusion that I couldn't enclose these references
because it was trying to expand them and thus expecting them to have a
single value. Similarly I couldn't assign from them because of this same
reason. But still I was missing the
On 09/26/2010 11:47 AM, Cameron Wood wrote:
I'm still completely stumped though why I can't get any joy from my
comparisons using the following IF statement
if (Group-Name == 'net_su') {
update control {
Tmp-String-2 := 'net_su'
If he is using LDAP then my prior post about the howto would work for him:
https://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
On Mon, Sep 27, 2010 at 6:48 AM, Phil Mayers p.may...@imperial.ac.ukwrote:
On 09/26/2010 11:47 AM, Cameron Wood wrote:
I'm still
/usr/sbin/radiusd -X | tee log
# make your login/radius request in another window, then
# Ctrl+C
Thanks for that suggestion, I hadn't actually used 'tee' before, so that
will help me make sure I have a full debug log each time.
Are we talking about Group-Name (which is implemented by the
Thanks for the link Peter, I'm talking over the possibility of this with the
people who run LDAP at my organisation.
Regards
Cam.
--
On Mon, Sep 27, 2010 at 04:30, Peter Lambrechtsen
plambrecht...@gmail.comwrote:
If he is using LDAP then my prior post about the howto would work for him:
Hi
I'm trying to obtain the Group-Name for the requested user and use it with
unlang in the Post-Auth section of my sites-available/default config.
This hasn't work thus far, and I have tried a number of other ideas, such as
getting it whilst in the Authorize section and creating new variable to
Cameron Wood wrote:
I'm trying to obtain the Group-Name for the requested user and use it
with unlang in the Post-Auth section of my sites-available/default config.
That won't work. The user may be a member of many groups, so
obtaining the group name is not possible. You can *compare* to
Thanks for the reply Alan.
Thanks for the reply Alan.
That won't work. The user may be a member of many groups, so
obtaining the group name is not possible.
That makes perfect sense.
You can *compare* to see if the user is a member of a group.
How can I compare this data? I've tried
Cameron Wood wrote:
How can I compare this data? I've tried comparing for it in the
Authorize section using an IF statement, but that didn't work.
sigh
*What* did you try?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I first tried using Group-Name as that works in the Users file...
if (Group-Name == net_su) {
update control {
Tmp-String-0 := net_su
}
}
Then after searching the mailing list I came across Ldap-Group and gave that
a try as well...
if (Ldap-Group == net_su) {
update control
Cameron Wood wrote:
I first tried using Group-Name as that works in the Users file...
if (Group-Name == net_su) {
And the debug mode says... ?
If you're interested in never solving the problem, you're off to a
good start.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
The debug output says almost nothing for that statement...
++? if (Group-Name == net_su)
? Evaluating (Group-Name == net_su) - FALSE
++? if (Group-Name == net_su) - FALSE
Cam.
--
On Sat, Sep 25, 2010 at 19:06, Alan DeKok al...@deployingradius.com wrote:
Cameron Wood wrote:
I first
Cameron Wood wrote:
The debug output says almost nothing for that statement...
You've repeatedly tried to make it impossible for anyone to help you.
I have no idea why, but I definitely get the message.
Good luck solving the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
I don't understand how you could have arrived at this position. All I have
been doing is seeking some help with my problem; politely asking questions
and providing what I thought was relevant information when asked.
If any of the questions I have asked were too brief or not detailed enough
then
Cameron Wood wrote:
If any of the questions I have asked were too brief or not detailed
enough then surely you could have asked me to provide more detail?
I did. You *repeatedly* gave minimal information in response to a
question.
It's like asking you where you live. You respond Earth.
Hi,
That wasn't my intention, I thought pasting the entire
sites-available/default and debug output might be frowned upon.
pasting the config file is not necessary. if you read the docs and the mailing
list history, you will see that posting the full, complete
debug output log from 'radiusd
Alan Buxey wrote:
Hi,
That wasn't my intention, I thought pasting the entire
sites-available/default and debug output might be frowned upon.
pasting the config file is not necessary. if you read the docs and the mailing
list history, you will see that posting the full, complete
debug
Thank you Alan B Alan D for your comments, and I'll make sure to include
the full, complete debug output log in future.
I don't think the logic of my example has changed since my earlier post, but
I admittedly have tried encasing it in %{...} and adding a list to it as
well to try and get it to
25 matches
Mail list logo