Initial support of Multi Valued Attributes operators

Phil Mayers p.mayers at imperial.ac.uk
Mon Mar 25 18:12:03 CET 2013


On 25/03/13 16:50, Olivier Beytrison wrote:
> Hello,
>
> I've sent a pull request to add the initial support of MVA operators.
>
> This add 4 new operators to perform basic comparison with multivalued
> attributes
>
> * |== At least one attribute should equal the value
> * &== All attributes should equal the value
> * |=~ At least one attribute should match the regular expression
> * &=~ All attributes should match the regular expression
> The allowed syntax are

I'm a bit confused. Can you summarise how the *existing* operators 
behave, and how this is different?

For example, =~ *already* matches "if one attribute" matches the regexp 
- we're relying on that behaviour, after my patch in 5a89c94633, and 
that code also populates the %{group} captures (of the first match)

Likewise, I thought == matches if one of several attributes match, but 
that's not behaviour I'm testing.

I don't understand the use-case for &==

> For example, this will allow to simply check ldap-group with unlang
> without building a foreach loop or using huntfile. Arran is in the
> process to add this feature to rlm_ldap.

Again, I don't understand this; this is what "Ldap-Group == xx" already 
doesn't it? Have I misunderstood?

> With those operators, it would also make sense to retrieve all values
> with sql/ldap xlat. But this is to be discussed.

Some better way to pull >1 value from SQL/LDAP would be good, and 
ideally a slightly cleaner syntax for doing it.


More information about the Freeradius-Devel mailing list