Initial support of Multi Valued Attributes operators

Olivier Beytrison olivier at heliosnet.org
Mon Mar 25 18:23:17 CET 2013


On 25.03.2013 18:12, Phil Mayers wrote:
> On 25/03/13 16:50, Olivier Beytrison wrote:
>> Hello,
>>
>> I've sent a pull request to add the initial support of MVA operators.
>>
>> This add 4 new operators to perform basic comparison with multivalued
>> attributes
>>
>> * |== At least one attribute should equal the value
>> * &== All attributes should equal the value
>> * |=~ At least one attribute should match the regular expression
>> * &=~ All attributes should match the regular expression
>> The allowed syntax are
> 
> I'm a bit confused. Can you summarise how the *existing* operators
> behave, and how this is different?
> 
> For example, =~ *already* matches "if one attribute" matches the regexp
> - we're relying on that behaviour, after my patch in 5a89c94633, and
> that code also populates the %{group} captures (of the first match)

the %{group} capture is to match and capture part of *one* attribute. If
you have multiple time the same attribute in the list, the only option
was foreach (in 3.0)

I'll give you a real example based on my use of those operators. My ldap
populate attributes which represent the "roles" of the person within the
school :
control:HESSO-Role +=
"31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#EMP#COL" (hessoRole)
control:HESSO-Role += "31935762-440774439#RORG-HEFR-EIFR-INTR-INFO#STD#"
(hessoRole)

People can have from one to 6-7 of those attributes. With normal unlang
operators it will only compare the first attribute it finds.

Now I can do
if(control:HESSO-Role |=~ /STD/) {
   student_policy
}

> Likewise, I thought == matches if one of several attributes match, but
> that's not behaviour I'm testing.

Nope, it only check the first attribute. Till now there was no looping
over all the possible same attribute-name in the list.

> I don't understand the use-case for &==

I don't see one. But maybe someday someone will need it ?

>> For example, this will allow to simply check ldap-group with unlang
>> without building a foreach loop or using huntfile. Arran is in the
>> process to add this feature to rlm_ldap.
> 
> Again, I don't understand this; this is what "Ldap-Group == xx" already
> doesn't it? Have I misunderstood?

In the huntfile yes. Not in unlang and policy, unless I've misread the
code for the past two weeks ;)
-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: olivier at heliosnet.org


More information about the Freeradius-Devel mailing list