On 11 Dec 2012, at 14:31, Olivier Beytrison <olivier@heliosnet.org> wrote:
On 11.12.2012 15:26, Arran Cudbard-Bell wrote:
and one more thing that would be nice to have. If something goes wrong with those ldap modifications, we should be able to choose if the user is rejected or not. like
post-auth { update { <attr> <op> <val> } error = reject/noop }
You can do that already with rcode overrides.
ldap { fail = 1 } if (fail) { ok }
Fair enough :)
and for the := set operator on multi-valued ldap attribute, we could implement something like <attr> := <old-value>:<new-value>. But that's pushing thing too far in my opinion ...
Oh is that why it replaces everything?
Do you know how to represent that in the mods struct?
you pointed it out in a previous mail { LDAP_MOD_REPLACE, "sn", { "babs jensen", "babs", 0 } }, "old value", "new value", 0 same goes for LDAP_MOD_ADD, but in that case it operates the same way as REPLACE. if attribute with old value exists, replace with new value, otherwise create it. so not worth implementing it imho
Blerg, you'd have to escape and unescape : in xlat expansions but yes, I guess it should be possible. AFAIK the conffile API doesnt allow you to create multivalued attributes. -Arran