3.0.x: check regex against multiple instances of attribute

Stefan Winter stefan.winter at restena.lu
Mon Jul 7 13:42:32 CEST 2014 

Hello,

currently setting up 3.0 with one of our eduroam participants here in Luxembourg.

They have an AD backend, and auth via ntlm_auth works fine.

Now, they also want to extract group membership attributes and assign users to VLANs as appropriate.

The users can be members of multiple groups and there is an LDAP attribute "memberOf" which spits out all applicable groups in sequence. I've used the ldap modules in authorize to do that, and add the groups with +=. This seems to work (debug snippet below).

Now I'd like to use unlang to check "if one of the values of those attributes matches regex foo, add the user to VLANx.

I used to think there was a special comparison operator for exactly that purpose, but I can't for the life of me find it in documentation.

What I've tried is

if ( control:Member-Check =~ /regex/ ) but that apparently checks only the first occurence of the control item; I.e. it returns true if the regex is contained in the first instance, but not if it is contained only in a non-first instance.

I guess I'm missing something fairly obvious?

A typical debug is this:



Mon Jul  7 11:21:14 2014 : Debug: (7) ldap : Waiting for search result...
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap : User object found at DN "CN=My User,OU=Test,OU=Users,DC=mydomain,DC=com"
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap : Processing user attributes
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap :           control:Member-Check += ''CN=Group1,OU=SecurityGroupsManagedCentrally,OU=Groups,DC=mydomain,DC=com''
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap :           control:Member-Check += ''CN=Group2,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap :           control:Member-Check += ''CN=Group3,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap :           control:Member-Check += ''CN=Group4,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap :           control:Member-Check += ''CN=Group5,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap :           control:Member-Check += ''CN=VLAN-Students,OU=Network,OU=Groups,DC=mydomain,DC=com''
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap :           control:Member-Check += ''CN=Group6,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
Mon Jul  7 11:21:14 2014 : Debug: (7) ldap :           control:Member-Check += ''CN=Group7,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
Mon Jul  7 11:21:14 2014 : Debug: rlm_ldap (ldap): Released connection (4)
Mon Jul  7 11:21:14 2014 : Debug: (7)   modsingle[authorize]: returned from ldap (rlm_ldap) for request 7
Mon Jul  7 11:21:14 2014 : Debug: (7)   [ldap] = ok
Mon Jul  7 11:21:14 2014 : Debug: (7)    if ( control:Member-Check =~ /Student/ )
Mon Jul  7 11:21:14 2014 : Debug: (7)    if ( control:Member-Check =~ /Student/ )  -> FALSE
Mon Jul  7 11:21:14 2014 : Debug: (7)   modsingle[authorize]: calling pap (rlm_pap) for request 7
Mon Jul  7 11:21:14 2014 : Debug: (7)   modsingle[authorize]: returned from pap (rlm_pap) for request 7
Mon Jul  7 11:21:14 2014 : Debug: (7)   [pap] = noop
Mon Jul  7 11:21:14 2014 : Debug: (7)  } #  authorize = updated

The regex "Student" should match the sixth instance of the control items, but doesn't.

If someone could lend me a hint ...

Stefan
 
-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x8A39DC66.asc
Type: application/pgp-keys
Size: 3243 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/50493c5d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140707/50493c5d/attachment.pgp>

More information about the Freeradius-Users mailing list