Multivalued (LDAP) Attributes and string matching, or regexes
Jason Antman
jantman at oit.rutgers.edu
Tue Jun 21 16:12:56 CEST 2011
Alexander Clouter wrote:
> Peter Lambrechtsen <plambrechtsen at gmail.com> wrote:
>
>> I find the easist way to do it is to use a custom "users" file to allow /
>> prevent access based on exact matches of LDAP attributes.
>>
>> then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise
>> reject.
>>
>> This is how we do it here:
>>
>> http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html
>>
>>
Peter... but how does that work with multivalued attributes? If someone
has employeeType[0] = "FooBar" and employeeType[1] = "STAFF OFFSITE" it
doesn't seem like it would work...
Also, at the moment, I don't have a users file... I'm using LDAP only,
with the little configuration I need in unlang.
> Depending on how you have things set up locally and how you are trying
> to skin this particular cat, but you could just use an LDAP filter to
> get all this done and keep the logic out of FreeRADIUS (although I
> probably would *not* recommend it):
> ----
> filter = "(&(objectClass=Person)(employeeType=staff*)(!(employeeType=staff retired))(|(!(loginDisabled=*))(loginDisabled=FALSE))(cn=%{Stripped-User-Name}))"
> ----
>
> Means you get the effect as if the user did not even exist.
>
> Just throwing another option out there...although I would recommend the
> users file with a bunch of fall throughs personally.
>
> Cheers
>
>
I know I didn't specify it in my original message, but that loses the
verbose (SQL-ized) logging that I need...
I don't really know anything about it, and haven't seen mention of it
outside of the modules list, but perhaps I could use rlm_perl or
rlm_python? Does anyone know about the efficiency of these? I know I'm
approaching this from the standpoint of a traditional programming
language, but the way I see it, I just need to loop over the values of
the employeeType[] attribute, and have some sort of variable to store
state...
-Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110621/83735453/attachment.html>
More information about the Freeradius-Users
mailing list