Thanks Arran for those answers, > No your check will not iterate over every instance of a value. > > In order to do that you'll need to use FreeRADIUS 3.x and use the foreach > unlang construct or perl.
hmm, FreeRADIUS 3.x? Is it suitable for production environnement ? Or i'll simply fall back to rlm_perl. But not on a friday evening, it will wait till monday! > Plus the way you're doing policies is weird. Why don't you just use the > policy module (policy.conf)? It'd be way more memory efficient if you're > using the same policy multilple times, and you gain the ability to overload > module calls... You're right, i'll move this in the policy file, didn't think about it. Regards, Olivier B. > -Arran > > On 2 Sep 2011, at 15:47, Olivier Beytrison wrote: > >> Hello, >> >> I'm trying since two week to do some multi-valued attribute checking on >> my radius infrastructure. >> >> I've been looking to checkval, using the "users" file and such but with >> no luck. >> >> I'm running two FR 2.1.10 on ubuntu for the eduroam project. The local >> authentication is made against an Novell eDirectory ldap server. >> >> I'm fetching a multi-valued attribute from the ldap into the control >> list, and based on its content, I set the correct >> Airespace-Interface-Name value. >> >> At the beginning I was using unlang to match the value, and it works >> perfectly since 90% of the people only have one attribute. But some >> people have multiple attributes. >> >> So far, that's what I've been using : >> >> In virtual server, at the end of authorize {} >> >> if (NAS-IP-Address =~ /160\.98\.156\..*/) { >> $INCLUDE ${confdir}/secure-hefr.policy >> >> } >> >> secure-hefr.policy content : >> >> >> if ( control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) { >> update reply { >> Airespace-Interface-Name := "wifi_eia-etu" >> } >> } >> elsif ( control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) { >> update reply { >> Airespace-Interface-Name := "wifi_eia-col" >> } >> } >> elsif { >> } >> [ ... ] >> >> Some debug from a user who is multi-valued : >> >> server eduroam-inner-tunnel-peap { >> # Executing section authorize from file >> /etc/freeradius/sites-enabled/eduroam-inner-tunnel-peap >> +- entering group authorize {...} >> ++[mschap] returns noop >> [suffix] Looking up realm "hefr.ch" for User-Name = "didier.perr...@hefr.ch" >> [suffix] Found realm "hefr.ch" >> [suffix] Adding Realm = "hefr.ch" >> [suffix] Authentication realm is LOCAL. >> ++[suffix] returns ok >> ++[control] returns ok >> [eap] EAP packet type response id 11 length 6 >> [eap] No EAP Start, assuming it's an on-going EAP conversation >> ++[eap] returns updated >> [auth_log] expand: >> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> >> /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 >> [auth_log] >> /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d >> expands to /var/log/freeradius/radacct/160.98.156.6/auth-detail-20110902 >> [auth_log] expand: %t -> Fri Sep 2 15:45:08 2011 >> ++[auth_log] returns ok >> [linelog] expand: %{Packet-Type} -> Access-Request >> [linelog] expand: %{%{Packet-Type}:-format} -> Access-Request >> [linelog] expand: /var/log/freeradius/linelog -> >> /var/log/freeradius/linelog >> [linelog] expand: Requested access: %{User-Name} -> Requested >> access: didier.perr...@hefr.ch >> ++[linelog] returns ok >> ++? if (User-Name =~ /(.*)@.*hefr.ch$/) >> ? Evaluating (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE >> ++? if (User-Name =~ /(.*)@.*hefr.ch$/) -> TRUE >> ++- entering if (User-Name =~ /(.*)@.*hefr.ch$/) {...} >> expand: %{1} -> didier.perroud >> +++[request] returns ok >> ++- if (User-Name =~ /(.*)@.*hefr.ch$/) returns ok >> ++[files] returns noop >> [ldap] performing user authorization for didier.perroud >> [ldap] expand: (uid=%{Stripped-User-Name}) -> (uid=didier.perroud) >> [ldap] expand: ou=courant,ou=people,o=hefr -> ou=courant,ou=people,o=hefr >> [ldap] ldap_get_conn: Checking Id: 0 >> [ldap] ldap_get_conn: Got Id: 0 >> [ldap] performing search in ou=courant,ou=people,o=hefr, with filter >> (uid=didier.perroud) >> [ldap] Added the eDirectory password ******* in check items as >> Cleartext-Password >> [ldap] No default NMAS login sequence >> [ldap] looking for check items in directory... >> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == >> "RORG-HEFR-EIFR-TICO-TLCO-$-RSM" >> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == "RORG-MASO-$-RCA" >> [ldap] hessoRoleMemberKey -> HESSO-MEMBER-KEY == >> "RACA-TICO-MSEI-MTIC-$-RCA" >> [ldap] looking for reply items in directory... >> [ldap] hessoRoleMemberKey -> Class = >> 0x524f52472d484546522d454946522d5449434f2d544c434f2d242d52534d >> [ldap] hessoRoleMemberKey -> Class = 0x524f52472d4d41534f2d242d524341 >> [ldap] hessoRoleMemberKey -> Class = >> 0x524143412d5449434f2d4d5345492d4d5449432d242d524341 >> [ldap] user didier.perroud authorized to use remote access >> [ldap] ldap_release_conn: Release Id: 0 >> ++[ldap] returns ok >> [pap] WARNING: Auth-Type already set. Not setting to PAP >> ++[pap] returns noop >> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) >> ? Evaluating (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE >> ++? if (NAS-IP-Address =~ /160\.98\.156\..*/) -> TRUE >> ++- entering if (NAS-IP-Address =~ /160\.98\.156\..*/) {...} >> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) >> ? Evaluating (control:HESSO-MEMBER-KEY =~ >> /RORG-HEFR-EIFR-INTR-INFO-.-RSM/) -> FALSE >> +++? if (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR-INTR-INFO-.-RSM/ ) >> -> FALSE >> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) >> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/) -> FALSE >> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-MASO.*RCA$/ ) -> FALSE >> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) >> ? Evaluating (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/) -> TRUE >> +++? elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ ) -> TRUE >> +++- entering elsif (control:HESSO-MEMBER-KEY =~ /RORG-HEFR-EIFR.*RSM$/ >> ) {...} >> >> We can see that it didn't match control:HESSO-MEMBER-KEY =~ >> /RORG-MASO.*RCA$/ while it has the correct value in the control list. >> >> How can I match this multi-valued attribute ? >> >> Regards, >> Olivier B. >> >> -- >> >> Olivier Beytrison >> Network & Security Engineer, HES-SO Fribourg >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > Arran Cudbard-Bell > a.cudba...@freeradius.org > > RADIUS - Half the complexity of Diameter > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html