I find the easist way to do it is to use a custom "users" file to allow / prevent access based on exact matches of LDAP attributes. then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise reject. This is how we do it here: http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg003... On Thu, Jun 16, 2011 at 9:23 AM, Jason Antman <jantman@oit.rutgers.edu>wrote:
Greetings,
I have to control authorization based on a (possibly) multi-valued LDAP reply attribute called employeeType. I have all of the LDAP code working fine, but seem to have hit a snag. Each user has 1 to ??? (usually a max of 5 or so) employeeType values. The pertinent ones include "STAFF", "STAFF TEMPORARY", "STAFF OFFSITE", and "STAFF RETIRED". I need to allow all "STAFF" types access, unless their one and only "STAFF*" is "STAFF RETIRED" (yes, don't get me started, but it's considered "perfectly valid" for someone to have employeeTypes of staff, staff retired, and staff offsite).
So essentially, I need to allow in anyone with "STAFF", not followed by " RETIRED". At the moment, I'm using %{reply:employeeType[*]} which works fine for reged matching all of the other funky attributes that should grant access. But I can't seem to figure out how to say, either with unlang comparisons or regexes (I'm on CentOS/RedHat, so I assume it would be POSIX, either BRE or ERE) or both, how to exclude that one condition.
Examples: STAFF, STAFF RETIRED, SALARIED -> Accept STAFF -> Accept STAFF RETIRED -> Reject STAFF, STAFF TEMPORARY -> Accept FOO, STAFF RETIRED, BAR -> Reject FOO, STAFF, BAR -> Accept
Any hints or guidance would be greatly appreciated. I've searched through all of the regex material I could find, and asked on #regex IRC and as many regex gurus as I could find, and the best answer I got was to combine regexes with some sort of unlang construct... but I can't seem to think of anything which will match my logical need... "the string STAFF not followed immediately by the string RETIRED".
Thanks, Jason Antman
PS - I know the Right answer here is "fix your LDAP schema". Unfortunately, I don't have any control over that. Or even the power to make suggestions. All I have is a directive of who gets in and who doesn't. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html