On 09/17/2013 03:48 PM, Alexander Hartmaier wrote: >> my $memberof = $entry->get_value('memberOf', asref => 1); >> foreach my $group (@$memberof) { >> return 1 if (map {lc $group eq lc $_} @ldap_groups); >> } >> return 0;
> 5.38.21 PostSearchHook from the 4.12 reference doc doesn't describe how > the return value influences the request handling. Is this something > common to all hooks and described somewhere else? You are correct, PostSearchHook does not check return value. Some hooks use it, such as RequestHook in AuthBy INTERNAL, but it depends on the hook. I tried to be brief with the example and the return values were just for illustrative purposes. The way to reject a user from e.g., PostSearchHook is something like this: $user->get_check->add_attr('Auth-Type', 'Reject:Not a member of at least one user group'); return; See goodies/lookupauthgroup.pl for a full example. >> Also, we discussed here about adding support for RADIUS attributes that >> can be present multiple times. This would mean that e.g., if there are 4 >> Framed-IP-Address attributes, you could have something like this (flat >> file format): >> >> mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4 >> >> This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4. >> >> Any comments about how useful you or the others would see this is >> appreciated. > A syntax to define if any value or all values has to match is highly > anticipated! Thanks, noted. Also noted Garry's message. Something like %{RequestOr:attributename} should be quite straight forward to do and understand. However, %{RequestAnd:attributename} requires a bit more. Synatax like this might be a possibility: mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4|2.3.4.5 Here the request would be accepted if: User-Password = fred, and Framed-IP-Address = 1.2.3.4, and Framed-IP-Address = 2.3.4.5 As another example, the required values (e.g., 1.2.3.4 and 2.3.4.5) could come from a multivalued LDAP attribute. If there are examples how the above would be put in use, please let us know. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator