On 11.12.2012 13:40, Arran Cudbard-Bell wrote:
with roomNumber := "User %{%{Stripped-User-Name}:-%{User-Name}} logged in at %S"
The main thing is we have a way of doing it, even if it's a little ugly.
Actually, it looks like you can do a wildcard delete if you pass a 0 length value array.
Could you try
update { <attribute> -= ANY }
Bare ANY keyword being magic.
Works very well [1] :) Thx! and one more thing that would be nice to have. If something goes wrong with those ldap modifications, we should be able to choose if the user is rejected or not. like post-auth { update { <attr> <op> <val> } error = reject/noop } and for the := set operator on multi-valued ldap attribute, we could implement something like <attr> := <old-value>:<new-value>. But that's pushing thing too far in my opinion ... thanks for your work Arran! Olivier [1] with roomNumber -= ANY ldapsearch before request : roomNumber: Hello 2012-12-11 13:42:06 roomNumber: pouet lala roomNumber: pouet hoho roomNumber: hihohu radtest request : Sending Access-Request of id 236 from 0.0.0.0 port 52704 to 127.0.0.1 port 1812 User-Name != "olivier.beytriso" NAS-IP-Address != 160.98.240.25 NAS-Port != 0 Message-Authenticator != 0x00 MS-CHAP-Challenge != xxxxxxx MS-CHAP-Response != xxxxxxxxx rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=236, length=84 MS-CHAP-MPPE-Keys != 0xf087f73xxxxxxx4ac880000000000000000 MS-MPPE-Encryption-Policy != Encryption-Allowed MS-MPPE-Encryption-Types != RC4-40or128-bit-Allowed ldapsearch after : dn: cn=31935762,ou=courant,ou=people,o=hes-so -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org