multi-valued ldap-group attributes in rlm_cache
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Aug 5 05:34:08 CEST 2014
On 4 Aug 2014, at 09:33, Zenon Mousmoulas <zmousm at noc.grnet.gr> wrote:
> On 2014-08-02 15:58, Arran Cudbard-Bell wrote:
>>> I can see rlm_ldap populate control:Ldap-Group:
>>> Sat Aug 2 12:12:55 2014 : Debug: Added control:ldap_xyz-Ldap-Group with value "abc"
>>> Sat Aug 2 12:12:55 2014 : Debug: Added control:ldap_xyz-Ldap-Group with value "def"
>>> [...]
>>> But it looks like rlm_cache only caches the first value:
>>> Sat Aug 2 12:12:56 2014 : Debug: (4) cache_xyz : Adding to cache entry:
>>> Sat Aug 2 12:12:56 2014 : Debug: (4) cache_xyz : control:ldap_xyz-Ldap-Group += &ldap_xyz-Ldap-Group -> 'abc'
>>> And the next cache lookup only shows the first value:
>>> Sat Aug 2 12:13:02 2014 : Debug: (9) cache_xyz : Merging cached control list:
>>> Sat Aug 2 12:13:02 2014 : Debug: (9) cache_xyz : ldap_xyz-Ldap-Group += 'abc'
>>> Is this supposed to work? I am using 3.0.4 rc1.
>> Yes, but I have a good idea why it's not.
>
> Would you please elaborate?
rlm_cache had a lot of attribute copying/moving logic that was
written before we did the map/template work in v3.0.x.
In the v3.0.x branch rlm_cache was switched to use the same code
as normal update blocks.
Normal update blocks behaved slightly differently, in that when
a += operator was used only the first instance of the referenced
(RHS) attribute was copied.
Seeing as people seem to prefer an explicit markup for saying
use all instances of a given attribute, instead of hacking
the update code to make it behave like rlm_cache, it's probably
better to add that markup now.
If you use the latest v3.0.x you should be able to do:
update {
control:ldap_xyz-Ldap-Group += &ldap_xyz-Ldap-Group[*]
}
So now, essentially:
&ldap_xyz-Ldap-Group[0] and &ldap_xyz-Ldap-Group
are synonymous in terms of update blocks, not matter what the operator is.
Guess I should update the man page too.
Phil's 'any' prefix would have worked too, but it would have
meant hacking the config parser, and we already use [*] elsewhere.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140804/9aa4251d/attachment.pgp>
More information about the Freeradius-Users
mailing list