Multivalued (LDAP) Attributes and string matching, or regexes

Peter Lambrechtsen plambrechtsen at gmail.com
Thu Jun 16 00:55:57 CEST 2011


I find the easist way to do it is to use a custom "users" file to allow /
prevent access based on exact matches of LDAP attributes.

then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
reject.

This is how we do it here:

http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html


On Thu, Jun 16, 2011 at 9:23 AM, Jason Antman <jantman at oit.rutgers.edu>wrote:

> Greetings,
>
> I have to control authorization based on a (possibly) multi-valued LDAP
> reply attribute called employeeType. I have all of the LDAP code working
> fine, but seem to have hit a snag. Each user has 1 to ??? (usually a max of
> 5 or so) employeeType values. The pertinent ones include "STAFF", "STAFF
> TEMPORARY", "STAFF OFFSITE", and "STAFF RETIRED". I need to allow all
> "STAFF" types access, unless their one and only "STAFF*" is "STAFF RETIRED"
> (yes, don't get me started, but it's considered "perfectly valid" for
> someone to have employeeTypes of staff, staff retired, and staff offsite).
>
> So essentially, I need to allow in anyone with "STAFF", not followed by "
> RETIRED". At the moment, I'm using %{reply:employeeType[*]} which works fine
> for reged matching all of the other funky attributes that should grant
> access. But I can't seem to figure out how to say, either with unlang
> comparisons or regexes (I'm on CentOS/RedHat, so I assume it would be POSIX,
> either BRE or ERE) or both, how to exclude that one condition.
>
> Examples:
> STAFF, STAFF RETIRED, SALARIED -> Accept
> STAFF -> Accept
> STAFF RETIRED -> Reject
> STAFF, STAFF TEMPORARY -> Accept
> FOO, STAFF RETIRED, BAR -> Reject
> FOO, STAFF, BAR -> Accept
>
> Any hints or guidance would be greatly appreciated. I've searched through
> all of the regex material I could find, and asked on #regex IRC and as many
> regex gurus as I could find, and the best answer I got was to combine
> regexes with some sort of unlang construct... but I can't seem to think of
> anything which will match my logical need... "the string STAFF not followed
> immediately by the string RETIRED".
>
> Thanks,
> Jason Antman
>
> PS - I know the Right answer here is "fix your LDAP schema". Unfortunately,
> I don't have any control over that. Or even the power to make suggestions.
> All I have is a directive of who gets in and who doesn't.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110616/7a02d4e6/attachment.html>


More information about the Freeradius-Users mailing list