Problem cheking multivalued attributes in LDAP schemas.

Erling Paulsen erling.paulsen at cc.uit.no
Tue Dec 5 14:23:19 CET 2006


Kostas Kalevras wrote:
> Erling Paulsen wrote:
> 
>> I try to make a decision based on checking for a value in a certain 
>> attribute of a LDAP schema. The problem is that this is a multivalued 
>> attribute, and it seems somewhat undefined when I try to check against 
>> it!
>>
>> My exact problem is checking against a "eduPerson" schema for an 
>> affiliation on an attribute called "eduPersonAffiliation" (which is 
>> multivalued). I want to check if a certain user has the right 
>> affiliation=xxxx before assigning a dynamic Vlan.
>>
>> I fetch the attribute in Authorization as "LDAP-Affiliation" (mapped 
>> as a checkItem in ldap.attrmap). I've tried checking with the regular 
>> expression operator (i.e. for "staff" affiliation), but it seems to 
>> not give a match. Ex. check-statement from users file:
>>     LDAP-Affiliation :~ .*staff.*
>>
>> In the LDAP-backend the "eduPersonAffiliation" is shown as containing:
>>
>> eduPersonAffiliation:
>>     employee
>>     staff
>>     member
>>
>> Is this a common problem in checking against multivalued attributes, 
>> or is there a way around it?
>>
>>
>> Any feedback would be appreciated!
>> - Erling Paulsen
>> - List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> 
> You could try using the checkval module which supports multivalued 
> attributes
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

Yes, it works.

I just had to add the request attribute to the hints-file, fetch the 
check attribute from LDAP and then match via checkval.

Thanks!



More information about the Freeradius-Users mailing list