[RADIATOR] AuthAttrDef for multi-value Radius attribute check

Heikki Vatiainen hvn at open.com.au
Tue Sep 17 07:23:50 CDT 2013 

On 09/16/2013 03:59 PM, Alexander Hartmaier wrote:
> I just tried to implement a check for group membership:
> 
> AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check
> 
> OSC-Group-Identifier-LDAP is a multi-value attribute derived from
> OSC-Group-Identifier with a PreAuthHook, basically just to transform the
> support groups of a device into the corresponding LDAP CNs.
> According to the trace 4 log the check runs twice but both times using
> the first OSC-Group-Identifier-LDAP value.
> Is this a bug?

I think this is the intended behaviour. The code always fetches a single
value for the named attribute. This means it always gets the first
attribute's value. It does not try to fetch all values of the named
attribute.

Currently you could use a PostSearchHook to do something like this:
my @ldap_groups = $p->get_attr('OSC-Group-Identifier-LDAP');

Since @ldap_groups is an array, you will get all values of
OSC-Group-Identifier-LDAP, not just the first one.

Then you can try each LDAP memberOf attribute value with
OSC-Group-Identifer-LDAP attribute values to see if there's a match:

my $memberof = $entry->get_value('memberOf', asref => 1);
foreach my $group (@$memberof) {
   return 1 if (map {lc $group eq lc $_} @ldap_groups);
}
return 0;



Also, we discussed here about adding support for RADIUS attributes that
can be present multiple times. This would mean that e.g., if there are 4
Framed-IP-Address attributes, you could have something like this (flat
file format):

mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4

This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4.

Any comments about how useful you or the others would see this is
appreciated.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list