3.0.x: check regex against multiple instances of attribute
Herwin Weststrate
herwin at quarantainenet.nl
Mon Jul 7 14:01:40 CEST 2014
On 07-07-14 13:42, Stefan Winter wrote:
> Hello,
>
> currently setting up 3.0 with one of our eduroam participants here in Luxembourg.
>
> They have an AD backend, and auth via ntlm_auth works fine.
>
> Now, they also want to extract group membership attributes and assign users to VLANs as appropriate.
>
> The users can be members of multiple groups and there is an LDAP attribute "memberOf" which spits out all applicable groups in sequence. I've used the ldap modules in authorize to do that, and add the groups with +=. This seems to work (debug snippet below).
>
> Now I'd like to use unlang to check "if one of the values of those attributes matches regex foo, add the user to VLANx.
>
> I used to think there was a special comparison operator for exactly that purpose, but I can't for the life of me find it in documentation.
>
> What I've tried is
>
> if ( control:Member-Check =~ /regex/ ) but that apparently checks only the first occurence of the control item; I.e. it returns true if the regex is contained in the first instance, but not if it is contained only in a non-first instance.
>
> I guess I'm missing something fairly obvious?
>
> A typical debug is this:
>
>
>
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : Waiting for search result...
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : User object found at DN "CN=My User,OU=Test,OU=Users,DC=mydomain,DC=com"
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : Processing user attributes
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group1,OU=SecurityGroupsManagedCentrally,OU=Groups,DC=mydomain,DC=com''
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group2,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group3,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group4,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group5,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=VLAN-Students,OU=Network,OU=Groups,DC=mydomain,DC=com''
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group6,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
> Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group7,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com''
> Mon Jul 7 11:21:14 2014 : Debug: rlm_ldap (ldap): Released connection (4)
> Mon Jul 7 11:21:14 2014 : Debug: (7) modsingle[authorize]: returned from ldap (rlm_ldap) for request 7
> Mon Jul 7 11:21:14 2014 : Debug: (7) [ldap] = ok
> Mon Jul 7 11:21:14 2014 : Debug: (7) if ( control:Member-Check =~ /Student/ )
> Mon Jul 7 11:21:14 2014 : Debug: (7) if ( control:Member-Check =~ /Student/ ) -> FALSE
> Mon Jul 7 11:21:14 2014 : Debug: (7) modsingle[authorize]: calling pap (rlm_pap) for request 7
> Mon Jul 7 11:21:14 2014 : Debug: (7) modsingle[authorize]: returned from pap (rlm_pap) for request 7
> Mon Jul 7 11:21:14 2014 : Debug: (7) [pap] = noop
> Mon Jul 7 11:21:14 2014 : Debug: (7) } # authorize = updated
>
> The regex "Student" should match the sixth instance of the control items, but doesn't.
>
> If someone could lend me a hint ...
You can use the foreach-keyword. It is documented in man unlang(5), but
maybe a short snippet (straight from the unit tests) is clearer:
# Expanded regex
foreach Cisco-AVPair {
if ("%{Foreach-Variable-0}" =~ /^%{Tmp-String-0}=(.*)$/i) {
update reply {
Called-Station-Id += "%{1}"
}
}
}
# Compiled regex
foreach Cisco-AVPair {
if ("%{Foreach-Variable-0}" =~ /^stupid=(.*)$/i) {
update reply {
Called-Station-Id += "%{1}"
}
}
}
--
Herwin Weststrate
More information about the Freeradius-Users
mailing list