LDAP Accounting
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Dec 11 15:37:00 CET 2012
On 11 Dec 2012, at 14:31, Olivier Beytrison <olivier at heliosnet.org> wrote:
> On 11.12.2012 15:26, Arran Cudbard-Bell wrote:
>
>>> and one more thing that would be nice to have. If something goes wrong
>>> with those ldap modifications, we should be able to choose if the user
>>> is rejected or not. like
>>>
>>> post-auth {
>>> update {
>>> <attr> <op> <val>
>>> }
>>> error = reject/noop
>>> }
>>
>> You can do that already with rcode overrides.
>>
>> ldap {
>> fail = 1
>> }
>> if (fail) {
>> ok
>> }
>
> Fair enough :)
>
>>>
>>> and for the := set operator on multi-valued ldap attribute, we could
>>> implement something like <attr> := <old-value>:<new-value>.
>>> But that's pushing thing too far in my opinion ...
>>
>> Oh is that why it replaces everything?
>>
>> Do you know how to represent that in the mods struct?
>
> you pointed it out in a previous mail
> { LDAP_MOD_REPLACE, "sn", { "babs jensen", "babs", 0 } },
> "old value", "new value", 0
> same goes for LDAP_MOD_ADD, but in that case it operates the same way as
> REPLACE. if attribute with old value exists, replace with new value,
> otherwise create it. so not worth implementing it imho
Blerg, you'd have to escape and unescape : in xlat expansions but yes, I guess it should be possible.
AFAIK the conffile API doesnt allow you to create multivalued attributes.
-Arran
More information about the Freeradius-Devel
mailing list