Hi Heikki,

Put me down for this feature as well...

Thanks.

-----Original Message-----
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
Behalf Of Heikki Vatiainen
Sent: Tuesday, September 17, 2013 8:24 AM
To: radiator@open.com.au
Subject: Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check

On 09/16/2013 03:59 PM, Alexander Hartmaier wrote:
> I just tried to implement a check for group membership:
> 
> AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check
> 
> OSC-Group-Identifier-LDAP is a multi-value attribute derived from 
> OSC-Group-Identifier with a PreAuthHook, basically just to transform 
> the support groups of a device into the corresponding LDAP CNs.
> According to the trace 4 log the check runs twice but both times using 
> the first OSC-Group-Identifier-LDAP value.
> Is this a bug?

I think this is the intended behaviour. The code always fetches a single value 
for the named attribute. This means it always gets the first attribute's value. 
It does not try to fetch all values of the named attribute.

Currently you could use a PostSearchHook to do something like this:
my @ldap_groups = $p->get_attr('OSC-Group-Identifier-LDAP');

Since @ldap_groups is an array, you will get all values of 
OSC-Group-Identifier-LDAP, not just the first one.

Then you can try each LDAP memberOf attribute value with 
OSC-Group-Identifer-LDAP attribute values to see if there's a match:

my $memberof = $entry->get_value('memberOf', asref => 1); foreach my $group 
(@$memberof) {
   return 1 if (map {lc $group eq lc $_} @ldap_groups); } return 0;



Also, we discussed here about adding support for RADIUS attributes that can be 
present multiple times. This would mean that e.g., if there are 4 
Framed-IP-Address attributes, you could have something like this (flat file 
format):

mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4

This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4.

Any comments about how useful you or the others would see this is appreciated.

Thanks,
Heikki

--
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server anywhere. 
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, 
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, 
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, 
Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to