LDAP Accounting

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Dec 11 15:37:00 CET 2012


On 11 Dec 2012, at 14:31, Olivier Beytrison <olivier at heliosnet.org> wrote:

> On 11.12.2012 15:26, Arran Cudbard-Bell wrote:
> 
>>> and one more thing that would be nice to have. If something goes wrong
>>> with those ldap modifications, we should be able to choose if the user
>>> is rejected or not. like
>>> 
>>> post-auth {
>>> 	update {
>>> 		<attr> <op> <val>
>>> 	}
>>> 	error = reject/noop
>>> }
>> 
>> You can do that already with rcode overrides.
>> 
>> ldap {
>> 	fail = 1
>> }
>> if (fail) {
>> 	ok
>> }
> 
> Fair enough :)
> 
>>> 
>>> and for the := set operator on multi-valued ldap attribute, we could
>>> implement something like <attr> := <old-value>:<new-value>.
>>> But that's pushing thing too far in my opinion ...
>> 
>> Oh is that why it replaces everything?
>> 
>> Do you know how to represent that in the mods struct?
> 
> you pointed it out in a previous mail
> { LDAP_MOD_REPLACE, "sn", { "babs jensen", "babs", 0 } },
> "old value", "new value", 0
> same goes for LDAP_MOD_ADD, but in that case it operates the same way as
> REPLACE. if attribute with old value exists, replace with new value,
> otherwise create it. so not worth implementing it imho

Blerg, you'd have to escape and unescape : in xlat expansions but yes, I guess it should be possible.

AFAIK the conffile API doesnt allow you to create multivalued attributes.

-Arran


More information about the Freeradius-Devel mailing list