[RADIATOR] AuthAttrDef for multi-value Radius attribute check

Alexander Hartmaier alexander.hartmaier at t-systems.at
Tue Sep 17 07:48:43 CDT 2013 

Hi Heikki,

On 2013-09-17 14:23, Heikki Vatiainen wrote:
> On 09/16/2013 03:59 PM, Alexander Hartmaier wrote:
>> I just tried to implement a check for group membership:
>>
>> AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check
>>
>> OSC-Group-Identifier-LDAP is a multi-value attribute derived from
>> OSC-Group-Identifier with a PreAuthHook, basically just to transform the
>> support groups of a device into the corresponding LDAP CNs.
>> According to the trace 4 log the check runs twice but both times using
>> the first OSC-Group-Identifier-LDAP value.
>> Is this a bug?
> I think this is the intended behaviour. The code always fetches a single
> value for the named attribute. This means it always gets the first
> attribute's value. It does not try to fetch all values of the named
> attribute.
>
> Currently you could use a PostSearchHook to do something like this:
> my @ldap_groups = $p->get_attr('OSC-Group-Identifier-LDAP');
I already use get_attr in my hook that generates
OSC-Group-Identifier-LDAP from OSC-Group-Identifier and found in the
comments that it returns a list in list context. Had to change my hook
to handle OSC-Group-Identifier in cases where it contains more than one
value.
>
> Since @ldap_groups is an array, you will get all values of
> OSC-Group-Identifier-LDAP, not just the first one.
>
> Then you can try each LDAP memberOf attribute value with
> OSC-Group-Identifer-LDAP attribute values to see if there's a match:
>
> my $memberof = $entry->get_value('memberOf', asref => 1);
> foreach my $group (@$memberof) {
>    return 1 if (map {lc $group eq lc $_} @ldap_groups);
> }
> return 0;
5.38.21 PostSearchHook from the 4.12 reference doc doesn't describe how
the return value influences the request handling. Is this something
common to all hooks and described somewhere else?

>
>
>
> Also, we discussed here about adding support for RADIUS attributes that
> can be present multiple times. This would mean that e.g., if there are 4
> Framed-IP-Address attributes, you could have something like this (flat
> file format):
>
> mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4
>
> This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4.
>
> Any comments about how useful you or the others would see this is
> appreciated.
A syntax to define if any value or all values has to match is highly
anticipated!
>
> Thanks,
> Heikki
>

--
Best regards, Alexander Hartmaier

T-Systems Austria GesmbH
TSS Security Services
Network Security & Monitoring Engineer

phone: +43(0)57057-4320
fax: +43(0)57057-954320



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

More information about the radiator mailing list