On 29.4.2021 10.31, Patrik Forsberg wrote:
I used AddToReplyIfNotExist and that seems to only use the first
OSC-Authorize-Group option it reaches and just ignores the rest.. a AddToReply
fixed that ..
AddToReplyIfNotExist \
Service-Type = "Administrative-User",\
OSC-Group-Identifier = "%N",\
OSC-Authorize-Group = "permit service=shell cmd=show
cmd-arg=running-config",\
OSC-Authorize-Group = "deny service=shell cmd=*",\
OSC-Authorize-Group = "permit .* {priv-lvl=15}"
Good to hear it works now. However, I'd say it would make more sense
that AddToReplyIfNotExist didn't work like that. What happens with
multi-instance attributes is exactly what you say: it adds the first and
then determines for the second instance that NotExists no longer holds :(
This is fine with typical single-instance attributes but I think the
expectation is that all of the above would have been added.
Thanks for letting us know about this,
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator
