Filter multivalued attributes in rlm_sql

JUND, Aurélien aurelien.jund at sfr.com
Mon Aug 23 18:13:21 CEST 2010 

I can not use an additional attribute to store the information I need. The ldap server I am requesting is modularized (and I don't manage it), and I can not modify its structure. 


In order to check the authorise status of the user in need to check its status in the sql base.
The username (for the database, it's not the radius username, used for authentifiaction), is stored in the ldap in the multi valued attribute "SystemId".

SystemId is instanciate 3 times (or more) for each user : 


SystemId = LoginSql=USER
SystemId = LoginWindows=toto
SystemId = LoginZozo=L00000


I need only one value, the one stating with "LoginSql="

I tried many things without success, but each time I'm not sure about the syntax. 

What solution would be possible ? 

1: Force rlm_ldap to store only the systemId starting with "LoginSql=" in the replyitem ? I was thinking I can use regex in a way with this module but didn't manage... 

2 Store all the different value of SystemId using each time the same radius attribute (eg Callback-Number)
Filter the attributes in order to strip all Callback-Number but the one stating with LoginSql, before it is process by rlm_sql 
 => I didn't find how to store multi valued attribute 


I was looking for a xlat syntax wich would return only the value I need (like a ldapsearch <search parameters> | grep "LoginSql=") but I looks not possible. 


If all the above a not possible I think I will have to patch the rlm_ldap, but really I would like to avoid this as my last C developpement is far far away... Any another idee ? 


Aurélien 


-----Message d'origine-----
De : freeradius-users-bounces+aurelien.jund=sfr.com at lists.freeradius.org [mailto:freeradius-users-bounces+aurelien.jund=sfr.com at lists.freeradius.org] De la part de Alan DeKok
Envoyé : mardi 13 juillet 2010 10:54
À : FreeRadius users mailing list
Objet : Re: Filter multivalued attributes in rlm_sql

JUND wrote:
> When I use :
> 
> sql_user_name = "%{reply:Callback-Number}"
>  
> I always get the first value of the Callback-Number,

  That's the way it works.  See "man unlang" for how to reference a
specific variable.

> but I would like to
> use only the one starting with "TEST=". Is there a way to filter a
> multivalued atytribute to use it for the sql_user_name?

  Not really, no.  I suggest adding the data into an *additional*
attribute, and using that.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list