Closed cornelinux closed 6 years ago
Similarly to #9, we could also try an unlang-based approach here.
I have a user Administrator@dc
whose memberOf
user info attribute contains five group DNs (and I have privacyidea/privacyidea#882 merged).
With the following rlm_perl.ini
:
...
[Mapping user]
memberOf = Class
and no modifications to the perl module and an unchanged FreeRADIUS config, the RADIUS response already contains all entries:
Sent Access-Request Id 127 from 0.0.0.0:35022 to 192.168.33.201:1812 length 86
User-Name = "administrator@dc"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1000
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 127 from 192.168.33.201:1812 to 0.0.0.0:0 length 319
Class = 0x434e3d47726f757020506f6c6963792043726561746f72204f776e6572732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
Class = 0x434e3d446f6d61696e2041646d696e732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
Class = 0x434e3d456e74657270726973652041646d696e732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
Class = 0x434e3d536368656d612041646d696e732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
Class = 0x434e3d41646d696e6973747261746f72732c434e3d4275696c74696e2c44433d74657374666f6f2c44433d696e7472616e6574
Reply-Message = "privacyIDEA access granted"
I think we could make it only return the first entry by using the following unlang snippet: /etc/freeradius/sites-available/privacyidea:
...
post-auth {
update reply {
Class == "%{reply:Class[0]}"
}
}
Like that:
Sent Access-Request Id 220 from 0.0.0.0:35265 to 192.168.33.201:1812 length 86
User-Name = "administrator@dc"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1000
Message-Authenticator = 0x00
Cleartext-Password = "test"
Received Access-Accept Id 220 from 192.168.33.201:1812 to 0.0.0.0:0 length 112
Reply-Message = "privacyIDEA access granted"
Class = 0x434e3d47726f757020506f6c6963792043726561746f72204f776e6572732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
Some user attributes may return not only a single value but a list. Like the
mobile
ormemberOf
.The choosing might be based on the number/ordering or on regexp.