Initial support of Multi Valued Attributes operators

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Mar 25 21:51:07 CET 2013 

On 25 Mar 2013, at 14:37, Olivier Beytrison <olivier at heliosnet.org> wrote:

> On 25.03.2013 18:35, Brian Candler wrote:
>> I don't think freeradius will currently let you select the list directly:
>> 
>>  if (control:Tmp-String-0 =~ /foo/) { ...   nope
> 
> As phil said, it does. at least in HEAD
> 
> 
>> 
>> Another idea along these lines:
>> 
>>  update {
>>    control:Tmp-String-1 += "bar"
>>    reply:Reply-Message += "Wibble"
>>  }
> 
> This is also already the case
>> and finally:
>> 
>>  update {
>>    /* copy _all_ instances of the attribute to another attribute */
>>    reply:Reply-Message ++= control:Tmp-String-0
>>  }
> 
> This has already been implemented in rlm_cache,

and multiple places in rlm_ldap.

> and Arran made it so we can reuse the logic (attrmap) in other modules.
> 
> Another example of the operator in function :
> post-auth {
>   if (reply:HESSO-Role-Raw =~ /STD/) {
>       noop
>   }
>   if (reply:HESSO-Role-Raw |=~ /STD/) {
>       noop
>   }
> }

A lot of this should wait until we've finalised the syntax for nested attributes as lists may get included as part of the attribute path.

e.g. control.Tmp-TLV-1.Tmp-String-1.

This would allow temporary trees to be constructed and then merged in there entirity into the current request without special consideration for the different lists. This makes places where collections of attributes need to be updated atomically easier (no more tmp_check, tmp_reply etc.).

It also makes dealing with multiple protocols easier, as protocol specific lists can be added without having to update the C structures.

As TLV support is planned for all current modules inclding rlm_sql, rlm_ldap, rlm_files, this would cover all the scenarios described.

In regards to xlat returning multiple attributes. It's probably not going to happen. xlat is just for string expansion and there are limited places where this is useful (rlm_ldap, rlm_sql and rlm_redis).

What's probably a better idea is to split the connection management and the logic into two or more modules. In addition to the modules that implement the functionality we have now, it would be fairly easy to add stub modules for just doing mapping.

The stub module would contain a query config item and an update section similar to the rlm_ldap and rlm_cache modules. Depending on the operators used, multiple rows would just create multiple instances of attributes.

-Arran

More information about the Freeradius-Devel mailing list