Alexander Clouter wrote:
Peter Lambrechtsen <plambrechtsen@gmail.com> wrote:
  
I find the easist way to do it is to use a custom "users" file to allow /
prevent access based on exact matches of LDAP attributes.

then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
reject.

This is how we do it here:

http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html

    
Peter... but how does that work with multivalued attributes? If someone has employeeType[0] = "FooBar" and employeeType[1] = "STAFF OFFSITE" it doesn't seem like it would work...

Also, at the moment, I don't have a users file... I'm using LDAP only, with the little configuration I need in unlang.
Depending on how you have things set up locally and how you are trying 
to skin this particular cat, but you could just use an LDAP filter to 
get all this done and keep the logic out of FreeRADIUS (although I 
probably would *not* recommend it):
----
filter = "(&(objectClass=Person)(employeeType=staff*)(!(employeeType=staff retired))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"
----

Means you get the effect as if the user did not even exist.

Just throwing another option out there...although I would recommend the 
users file with a bunch of fall throughs personally.

Cheers

  
I know I didn't specify it in my original message, but that loses the verbose (SQL-ized) logging that I need...

I don't really know anything about it, and haven't seen mention of it outside of the modules list, but perhaps I could use rlm_perl or rlm_python? Does anyone know about the efficiency of these? I know I'm approaching this from the standpoint of a traditional programming language, but the way I see it, I just need to loop over the values of the employeeType[] attribute, and have some sort of variable to store state...

-Jason