multiattribute testing in git 1411859

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Wed Aug 6 13:21:43 CEST 2014


Hi,
  I saw the thread "multi-valued ldap-group attributes in rlm_cache" and
figured that FR has been sorted to have multivalued attribute lookups in
it now.
I may be completely wrong but thought I'd test it anyway.

I've got a simple case where I look up groups in ldap (AD 2008)

mods-enabled/ldap
[..]
update {
        control:Ldap-MemberOf                 += 'memberOf'
}

.. and then a policy which takes the first value before the comma from
the ldap group set that comes back:

ldap-memberof-filter-regexp="^CN=([^,]*)"

  ldap-memberof-filter {
    update control {
      Tmp-String-0 !* ANY
    }
    foreach control:Ldap-MemberOf {
      if ("%{Foreach-Variable-0}" =~
/${policy.ldap-memberof-filter-regexp}/) {
        update control {
          Tmp-String-0 += "%{1}"
        }
      }
    }
    update control {
      Ldap-MemberOf !* ANY
    }
    foreach control:Tmp-String-0 {
      update control {
        Ldap-MemberOf += "%{Foreach-Variable-0}"
      }
    }
    update control {
      Tmp-String-0 !* ANY
    }

  }

.. this works ok, and the "stripped" group name is processed and listed
back to the original attribute name.

I'd then expect to be able to add it to the cache as per Arran's
suggestion from the thread where he says:

>>update {
>>	control:ldap_xyz-Ldap-Group += &ldap_xyz-Ldap-Group[*] }
>>So now, essentially:
>>&ldap_xyz-Ldap-Group[0] and &ldap_xyz-Ldap-Group
>>are synonymous in terms of update blocks, not matter what the operator
is.

So I do:
update {
                control:Ldap-MemberOf += &control:Ldap-MemberOf[*]
}
.. but it either stops the server output when it's populating the cache
- no segfault, just stops on that line and needs ctrl-c.
Or it goes into a loop:
(1)  cache :    Ldap-MemberOf += 'SSID_SaTH_Guest-Virgin-PRH'
(1)  cache :    Ldap-MemberOf += 'SSID_SaTH_Guest-Virgin-PRH'
(1)  cache :    Ldap-MemberOf += 'SSID_SaTH_Guest-Virgin-PRH'
(1)  cache :    Ldap-MemberOf += 'SSID_SaTH_Guest-Virgin-PRH'
(1)  cache :    Ldap-MemberOf += 'SSID_SaTH_Guest-Virgin-PRH'
.. and also needs ctrl-c.

Also,
If I didn't fill the cache and had a section that said something like

If (&control:Ldap-MemberOf [*] == "something") {
..

Should it pick up all instances now in the check? It only seems to act
on the first one still. I also tried "%{control:Ldap-MemberOf[*]", but
that does the same.
Again maybe my misinterpretation.
I also briefly tried the ldap cache enabling and shared load balance
redundant way of checking each ldap server (cache_attribute) but it only
seems to pick up the first attribute still:

Mods-enabled/ldap
[..]
Ldap ldap1 {
  Group {
        cacheable_name = yes
        cache_attribute = "Cached-Ldap-Group"
[..]

(1) ldap1 : Added control:Cached-Ldap-Group with value
"SSID_SaTH_Guest-Virgin-PRH"
(1)  ldap1 : Added control:Cached-Ldap-Group with value "SSID_RSH_WiFi"

(1) if (&control:Cached-Ldap-Group[*] == "SSID_RSH_WiFi")  -> FALSE
..
(1) if (&control:Cached-Ldap-Group[*] == "SSID_SaTH_Guest-Virgin-PRH")
-> TRUE
..

Maybe my testing is premature. Quite happy to keep testing if required!

Thanks
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140806/201a3766/attachment-0001.html>


More information about the Freeradius-Users mailing list