Multivalued (LDAP) Attributes and string matching, or regexes

[Jason Antman]

Greetings,

I have to control authorization based on a (possibly) multi-valued LDAP 
reply attribute called employeeType. I have all of the LDAP code working 
fine, but seem to have hit a snag. Each user has 1 to ??? (usually a max 
of 5 or so) employeeType values. The pertinent ones include "STAFF", 
"STAFF TEMPORARY", "STAFF OFFSITE", and "STAFF RETIRED". I need to allow 
all "STAFF" types access, unless their one and only "STAFF*" is "STAFF 
RETIRED" (yes, don't get me started, but it's considered "perfectly 
valid" for someone to have employeeTypes of staff, staff retired, and 
staff offsite).

So essentially, I need to allow in anyone with "STAFF", not followed by 
" RETIRED". At the moment, I'm using %{reply:employeeType[*]} which 
works fine for reged matching all of the other funky attributes that 
should grant access. But I can't seem to figure out how to say, either 
with unlang comparisons or regexes (I'm on CentOS/RedHat, so I assume it 
would be POSIX, either BRE or ERE) or both, how to exclude that one 
condition.

Examples:
STAFF, STAFF RETIRED, SALARIED -> Accept
STAFF -> Accept
STAFF RETIRED -> Reject
STAFF, STAFF TEMPORARY -> Accept
FOO, STAFF RETIRED, BAR -> Reject
FOO, STAFF, BAR -> Accept

Any hints or guidance would be greatly appreciated. I've searched 
through all of the regex material I could find, and asked on #regex IRC 
and as many regex gurus as I could find, and the best answer I got was 
to combine regexes with some sort of unlang construct... but I can't 
seem to think of anything which will match my logical need... "the 
string STAFF not followed immediately by the string RETIRED".

Thanks,
Jason Antman

PS - I know the Right answer here is "fix your LDAP schema". 
Unfortunately, I don't have any control over that. Or even the power to 
make suggestions. All I have is a directive of who gets in and who doesn't.