authorize an user using a multivalue ldap attribute

Ana Gallardo ana.gallardo.77 at gmail.com
Fri Oct 22 11:38:59 CEST 2010 

Hello again,

I have a string attribute named Relaciones in my ldap.
>
> This attribute can have more than one value. Actually I return those values
> in the reply:
>
> Sending Access-Accept of id 229 to X.X.X.X port 32796
>     Relaciones += "-11"
>     Relaciones += "03"
>     Relaciones += "-01"
>
> I want to authorize the access only if there is one attibute Relaciones
> whith a positive value. So I would like to use unlang in authorize module to
> check all the attributes "Relaciones" whit a regex, but I don't know how can
> I check all the attributes, and how can I stop procesing the attributes if I
> found one wihtout a minus sign.
>
>
> if ("%{reply:Relaciones}" =~ /^([0-9]{2})/) {
>
> }
>
>
>
maybe I can check the value with a check item:

#cat /etc/freeradius/ldap.attrmap

checkItem       NT-Password         ntPassword
checkItem       Relaciones            Relaciones      ~= /^([0-9]{2})/

replyItem       Nombre-Completo    sn
replyItem       Relaciones              Relaciones      +=

anyway i test both ideas, but don't work:

[ldap] looking for check items in directory...
  [ldap] ntPassword -> NT-Password == 0x3...
[ldap1] looking for reply items in directory...
  [ldap1] Relaciones -> Relaciones += "-11"
  [ldap1] Relaciones -> Relaciones += "03"
  [ldap1] Relaciones -> Relaciones += "-01"
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap1] user XXX authorized to use remote access
  [ldap1] ldap_release_conn: Release Id: 0
++++[ldap1] returns ok
++++? if (fail)
? Evaluating (fail) -> FALSE
++++? if (fail) -> FALSE
++++- entering else else {...}
+++++? if ("%{reply:Relaciones}" =~ /^([0-9]{2})/)
        expand: %{reply:Relaciones} -> -11
? Evaluating ("%{reply:Relaciones}" =~ /^([0-9]{2})/) -> FALSE
+++++? if ("%{reply:Relaciones}" =~ /^([0-9]{2})/) -> FALSE
++++- else else returns ok


any ideas?

thank you very much.

____________________

  Ana Gallardo Gómez
____________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101022/99594753/attachment.html>

More information about the Freeradius-Users mailing list