Hi Phil~
>>> You are aware how "Group-Name" works, and which groups it is referring to,
>>> right? Specifically, it is not a real attribute, and doesn't exist in a
>>> concrete form. Rather, when you perform a comparison, a real-time search is
>>> done against the relevant database using the value on the right-hand side.
>>> Group-Name queries the POSIX "getgrnam" APIs, which are normally backed by
>>> /etc/group, but can be supplemented/replaced by nsswitch.
Thank you, this is helpful information. Since the groups we are testing are
not actual unix groups but openldap/OpenDirectory groups... I'm assuming there
must have been some nsswitch configurations on the old server that helped with
this. Apple appears to use the directory service utils to handle this as
there is no nsswitch.conf. I'm currently looking into nsswitch equivlants for
apple (things like dscl localhost -read /Search)
>>> Assuming you have it installed, what does:
python -c '\
import grp;\
print "testuser" in grp.getgrnam("testgroup").gr_mem'
...say? This fragment uses the same APIs as "Group-Name".If this says "True"
then you've mis-configured FreeRADIUS somehow. If it says "False", then the
user isn't in the group as reported by those APIs, and you'll need to query
your group database another way. It might be the latter - maybe your new OS X
machine isn't pulling Unix group from OpenDirectory, but the old one was?
Thank you for that test code, that is extremely helpful.
The output on the NEW server returns: "False"
The output on the OLD server returns: "True"
>From the behavior observed, plus the information you provided above... I agree
>that it looks like I will have to pull this information in another way. I
>just missed your email late last night... in my prior reply I have a working
>prototype that queries opendirectory for the user authentication ... and
>queries the group via openldap (via opendirectory). It appears to be
>working; I plan to test it more today.
>>> Usually, using "Group-Name" is a bad choice; if there is a backend database
>>> (LDAP, SQL, text files) you are better off querying it directly, rather
>>> than interposing the get*nam APIs.
Thank you for this... I did not know that Group-Name is not always the best
choice. I seem to be missing an obvious piece of documentation... but neither
http://freeradius.org/rfc/attributes.html or
http://freeradius.org/radiusd/man/users.html or
http://freeradius.org/radiusd/man/rlm_unix.html mention anything about
Group-Name. Can you point me towards a document describing this? (tried
searching, I must be missing it)
Thanks again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
