Hello, currently setting up 3.0 with one of our eduroam participants here in Luxembourg. They have an AD backend, and auth via ntlm_auth works fine. Now, they also want to extract group membership attributes and assign users to VLANs as appropriate. The users can be members of multiple groups and there is an LDAP attribute "memberOf" which spits out all applicable groups in sequence. I've used the ldap modules in authorize to do that, and add the groups with +=. This seems to work (debug snippet below). Now I'd like to use unlang to check "if one of the values of those attributes matches regex foo, add the user to VLANx. I used to think there was a special comparison operator for exactly that purpose, but I can't for the life of me find it in documentation. What I've tried is if ( control:Member-Check =~ /regex/ ) but that apparently checks only the first occurence of the control item; I.e. it returns true if the regex is contained in the first instance, but not if it is contained only in a non-first instance. I guess I'm missing something fairly obvious? A typical debug is this: Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : Waiting for search result... Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : User object found at DN "CN=My User,OU=Test,OU=Users,DC=mydomain,DC=com" Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : Processing user attributes Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group1,OU=SecurityGroupsManagedCentrally,OU=Groups,DC=mydomain,DC=com'' Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group2,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com'' Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group3,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com'' Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group4,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com'' Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group5,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com'' Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=VLAN-Students,OU=Network,OU=Groups,DC=mydomain,DC=com'' Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group6,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com'' Mon Jul 7 11:21:14 2014 : Debug: (7) ldap : control:Member-Check += ''CN=Group7,OU=SecurityGroups,OU=Groups,DC=mydomain,DC=com'' Mon Jul 7 11:21:14 2014 : Debug: rlm_ldap (ldap): Released connection (4) Mon Jul 7 11:21:14 2014 : Debug: (7) modsingle[authorize]: returned from ldap (rlm_ldap) for request 7 Mon Jul 7 11:21:14 2014 : Debug: (7) [ldap] = ok Mon Jul 7 11:21:14 2014 : Debug: (7) if ( control:Member-Check =~ /Student/ ) Mon Jul 7 11:21:14 2014 : Debug: (7) if ( control:Member-Check =~ /Student/ ) -> FALSE Mon Jul 7 11:21:14 2014 : Debug: (7) modsingle[authorize]: calling pap (rlm_pap) for request 7 Mon Jul 7 11:21:14 2014 : Debug: (7) modsingle[authorize]: returned from pap (rlm_pap) for request 7 Mon Jul 7 11:21:14 2014 : Debug: (7) [pap] = noop Mon Jul 7 11:21:14 2014 : Debug: (7) } # authorize = updated The regex "Student" should match the sixth instance of the control items, but doesn't. If someone could lend me a hint ... Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66