On 1/27/2011 3:03 PM, Phil Mayers wrote:
I've met this need (using 2.1.11 from git) with a simple bit of unlang in post-auth{}: if ( "%{TLS-Client-Cert-Subject}" =~ /OU=Evil/ ) { reject }
Just put this in the "authorize" section? If it's early in the EAP conversation, TLS-Client-* won't be set so won't match, meaning this will succeed as soon as yo uget that far.
I'm not sure I follow you here. Are you saying that there is a place in the authorize section where TLS-Client-* _would_ be accessible to unlang? I've tried it in a few places (before eap, after eap, at the top of the section, at the bottom of the section) and it seemed to have no effect. But it's entirely possible that I missed something during these tests.
Correct. Unlang is only processed in authorize-like steps, not arbitrary bits of the config.
I can understand that. But given that the eap module has access to some client cert fields during authentication (e.g. check_cert_issuer and check_cert_cn), it would be nice to be able to access these and other client cert fields with unlang (or something similar) at that stage. But, admittedly, I'm way over my head here :-) so I'll make do with one of the methods described earlier in this thread. Thanks, -Matt