Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check

Tue, 17 Sep 2013 05:24:59 -0700 

On 09/16/2013 03:59 PM, Alexander Hartmaier wrote:
> I just tried to implement a check for group membership:
> 
> AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check
> 
> OSC-Group-Identifier-LDAP is a multi-value attribute derived from
> OSC-Group-Identifier with a PreAuthHook, basically just to transform the
> support groups of a device into the corresponding LDAP CNs.
> According to the trace 4 log the check runs twice but both times using
> the first OSC-Group-Identifier-LDAP value.
> Is this a bug?

I think this is the intended behaviour. The code always fetches a single
value for the named attribute. This means it always gets the first
attribute's value. It does not try to fetch all values of the named
attribute.

Currently you could use a PostSearchHook to do something like this:
my @ldap_groups = $p->get_attr('OSC-Group-Identifier-LDAP');

Since @ldap_groups is an array, you will get all values of
OSC-Group-Identifier-LDAP, not just the first one.

Then you can try each LDAP memberOf attribute value with
OSC-Group-Identifer-LDAP attribute values to see if there's a match:

my $memberof = $entry->get_value('memberOf', asref => 1);
foreach my $group (@$memberof) {
   return 1 if (map {lc $group eq lc $_} @ldap_groups);
}
return 0;



Also, we discussed here about adding support for RADIUS attributes that
can be present multiple times. This would mean that e.g., if there are 4
Framed-IP-Address attributes, you could have something like this (flat
file format):

mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4

This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4.

Any comments about how useful you or the others would see this is
appreciated.

Thanks,
Heikki

-- 
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Reply via email to