LDAP Accounting
Olivier Beytrison
olivier at heliosnet.org
Tue Dec 11 15:31:42 CET 2012
On 11.12.2012 15:26, Arran Cudbard-Bell wrote:
>> and one more thing that would be nice to have. If something goes wrong
>> with those ldap modifications, we should be able to choose if the user
>> is rejected or not. like
>>
>> post-auth {
>> update {
>> <attr> <op> <val>
>> }
>> error = reject/noop
>> }
>
> You can do that already with rcode overrides.
>
> ldap {
> fail = 1
> }
> if (fail) {
> ok
> }
Fair enough :)
>>
>> and for the := set operator on multi-valued ldap attribute, we could
>> implement something like <attr> := <old-value>:<new-value>.
>> But that's pushing thing too far in my opinion ...
>
> Oh is that why it replaces everything?
>
> Do you know how to represent that in the mods struct?
you pointed it out in a previous mail
{ LDAP_MOD_REPLACE, "sn", { "babs jensen", "babs", 0 } },
"old value", "new value", 0
same goes for LDAP_MOD_ADD, but in that case it operates the same way as
REPLACE. if attribute with old value exists, replace with new value,
otherwise create it. so not worth implementing it imho
Olivier
--
Olivier Beytrison
Network & Security Engineer, HES-SO Fribourg
Mobile: +41 (0)78 619 73 53
Mail: olivier at heliosnet.org
More information about the Freeradius-Devel
mailing list