Greetings,
I have to control authorization based on a (possibly) multi-valued LDAP
reply attribute called employeeType. I have all of the LDAP code working
fine, but seem to have hit a snag. Each user has 1 to ??? (usually a max
of 5 or so) employeeType values. The pertinent ones include "STAFF",
"STAFF TEMPORARY", "STAFF OFFSITE", and "STAFF RETIRED". I need to allow
all "STAFF" types access, unless their one and only "STAFF*" is "STAFF
RETIRED" (yes, don't get me started, but it's considered "perfectly
valid" for someone to have employeeTypes of staff, staff retired, and
staff offsite).
So essentially, I need to allow in anyone with "STAFF", not followed by
" RETIRED". At the moment, I'm using %{reply:employeeType[*]} which
works fine for reged matching all of the other funky attributes that
should grant access. But I can't seem to figure out how to say, either
with unlang comparisons or regexes (I'm on CentOS/RedHat, so I assume it
would be POSIX, either BRE or ERE) or both, how to exclude that one
condition.
Examples:
STAFF, STAFF RETIRED, SALARIED -> Accept
STAFF -> Accept
STAFF RETIRED -> Reject
STAFF, STAFF TEMPORARY -> Accept
FOO, STAFF RETIRED, BAR -> Reject
FOO, STAFF, BAR -> Accept
Any hints or guidance would be greatly appreciated. I've searched
through all of the regex material I could find, and asked on #regex IRC
and as many regex gurus as I could find, and the best answer I got was
to combine regexes with some sort of unlang construct... but I can't
seem to think of anything which will match my logical need... "the
string STAFF not followed immediately by the string RETIRED".
Thanks,
Jason Antman
PS - I know the Right answer here is "fix your LDAP schema".
Unfortunately, I don't have any control over that. Or even the power to
make suggestions. All I have is a directive of who gets in and who doesn't.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
