search

privacyidea / FreeRADIUS

Add two factor authentication to FreeRADIUS via privacyIDEA
GNU General Public License v2.0
19 stars 17 forks source link

Mapping return values of lists #8

Closed cornelinux closed 6 years ago

cornelinux commented 6 years ago

Some user attributes may return not only a single value but a list. Like the mobile or memberOf.

  1. The attribute mapping needs to allow to either "choose" one entry or
  2. to return all entries in the RADIUS response attribute.

The choosing might be based on the number/ordering or on regexp.

fredreichbier commented 6 years ago

Similarly to #9, we could also try an unlang-based approach here. I have a user Administrator@dc whose memberOf user info attribute contains five group DNs (and I have privacyidea/privacyidea#882 merged). With the following rlm_perl.ini:

...
[Mapping user]
memberOf = Class

and no modifications to the perl module and an unchanged FreeRADIUS config, the RADIUS response already contains all entries:

Sent Access-Request Id 127 from 0.0.0.0:35022 to 192.168.33.201:1812 length 86
    User-Name = "administrator@dc"
    User-Password = "test"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1000
    Message-Authenticator = 0x00
    Cleartext-Password = "test"
Received Access-Accept Id 127 from 192.168.33.201:1812 to 0.0.0.0:0 length 319
    Class = 0x434e3d47726f757020506f6c6963792043726561746f72204f776e6572732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
    Class = 0x434e3d446f6d61696e2041646d696e732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
    Class = 0x434e3d456e74657270726973652041646d696e732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
    Class = 0x434e3d536368656d612041646d696e732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574
    Class = 0x434e3d41646d696e6973747261746f72732c434e3d4275696c74696e2c44433d74657374666f6f2c44433d696e7472616e6574
    Reply-Message = "privacyIDEA access granted"

I think we could make it only return the first entry by using the following unlang snippet: /etc/freeradius/sites-available/privacyidea:

...
post-auth {
        update reply {
                Class == "%{reply:Class[0]}"
        }
}

Like that:

Sent Access-Request Id 220 from 0.0.0.0:35265 to 192.168.33.201:1812 length 86
    User-Name = "administrator@dc"
    User-Password = "test"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 1000
    Message-Authenticator = 0x00
    Cleartext-Password = "test"
Received Access-Accept Id 220 from 192.168.33.201:1812 to 0.0.0.0:0 length 112
    Reply-Message = "privacyIDEA access granted"
    Class = 0x434e3d47726f757020506f6c6963792043726561746f72204f776e6572732c434e3d55736572732c44433d74657374666f6f2c44433d696e7472616e6574