Multivalued (LDAP) Attributes and string matching, or regexes

Jason Antman jantman at oit.rutgers.edu
Tue Jun 21 16:12:56 CEST 2011


Alexander Clouter wrote:
> Peter Lambrechtsen <plambrechtsen at gmail.com> wrote:
>   
>> I find the easist way to do it is to use a custom "users" file to allow /
>> prevent access based on exact matches of LDAP attributes.
>>
>> then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
>> reject.
>>
>> This is how we do it here:
>>
>> http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
>>
>>     
Peter... but how does that work with multivalued attributes? If someone 
has employeeType[0] = "FooBar" and employeeType[1] = "STAFF OFFSITE" it 
doesn't seem like it would work...

Also, at the moment, I don't have a users file... I'm using LDAP only, 
with the little configuration I need in unlang.
> Depending on how you have things set up locally and how you are trying 
> to skin this particular cat, but you could just use an LDAP filter to 
> get all this done and keep the logic out of FreeRADIUS (although I 
> probably would *not* recommend it):
> ----
> filter = "(&(objectClass=Person)(employeeType=staff*)(!(employeeType=staff retired))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"
> ----
>
> Means you get the effect as if the user did not even exist.
>
> Just throwing another option out there...although I would recommend the 
> users file with a bunch of fall throughs personally.
>
> Cheers
>
>   
I know I didn't specify it in my original message, but that loses the 
verbose (SQL-ized) logging that I need...

I don't really know anything about it, and haven't seen mention of it 
outside of the modules list, but perhaps I could use rlm_perl or 
rlm_python? Does anyone know about the efficiency of these? I know I'm 
approaching this from the standpoint of a traditional programming 
language, but the way I see it, I just need to loop over the values of 
the employeeType[] attribute, and have some sort of variable to store 
state...

-Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110621/83735453/attachment.html>


More information about the Freeradius-Users mailing list