I find the easist way to do it is to use a custom "users" file to allow / prevent access based on exact matches of LDAP attributes.
then you can say if STAFF = Accept, if STAFF OFFSITE Accept, otherwise reject. This is how we do it here: http://lists.freeradius.org/pipermail/freeradius-users/2010-September/msg00393.html On Thu, Jun 16, 2011 at 9:23 AM, Jason Antman <jant...@oit.rutgers.edu>wrote: > Greetings, > > I have to control authorization based on a (possibly) multi-valued LDAP > reply attribute called employeeType. I have all of the LDAP code working > fine, but seem to have hit a snag. Each user has 1 to ??? (usually a max of > 5 or so) employeeType values. The pertinent ones include "STAFF", "STAFF > TEMPORARY", "STAFF OFFSITE", and "STAFF RETIRED". I need to allow all > "STAFF" types access, unless their one and only "STAFF*" is "STAFF RETIRED" > (yes, don't get me started, but it's considered "perfectly valid" for > someone to have employeeTypes of staff, staff retired, and staff offsite). > > So essentially, I need to allow in anyone with "STAFF", not followed by " > RETIRED". At the moment, I'm using %{reply:employeeType[*]} which works fine > for reged matching all of the other funky attributes that should grant > access. But I can't seem to figure out how to say, either with unlang > comparisons or regexes (I'm on CentOS/RedHat, so I assume it would be POSIX, > either BRE or ERE) or both, how to exclude that one condition. > > Examples: > STAFF, STAFF RETIRED, SALARIED -> Accept > STAFF -> Accept > STAFF RETIRED -> Reject > STAFF, STAFF TEMPORARY -> Accept > FOO, STAFF RETIRED, BAR -> Reject > FOO, STAFF, BAR -> Accept > > Any hints or guidance would be greatly appreciated. I've searched through > all of the regex material I could find, and asked on #regex IRC and as many > regex gurus as I could find, and the best answer I got was to combine > regexes with some sort of unlang construct... but I can't seem to think of > anything which will match my logical need... "the string STAFF not followed > immediately by the string RETIRED". > > Thanks, > Jason Antman > > PS - I know the Right answer here is "fix your LDAP schema". Unfortunately, > I don't have any control over that. Or even the power to make suggestions. > All I have is a directive of who gets in and who doesn't. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html