would be specified by name.
====
-Group checks can be performed using the xlat `%(ldap.memberof:)`.
+Group checks can be performed using the xlat `%ldap.memberof()`.
Using this xlat, will, (if group caching is not enabled or the
ldap module has not already been called) result in one or more
queries being sent to the LDAP Directory to determine if the
[source,unlang]
----
-if (%(ldap.memberof:cn=foo,ou=groups,dc=example,dc=com) == true) {
+if (%ldap.memberof(cn=foo,ou=groups,dc=example,dc=com) == true) {
&reply.Reply-Message := "Welcome member of group 'foo'"
}
----
[source,unlang]
----
-if (%(ldap.memberof:foo) == true) {
+if (%ldap.memberof(foo) == true) {
&reply.Reply-Message := "Welcome member of group 'foo'"
}
----
= Locating the user
No matter how the LDAP module is called (via its `authorize`, `authenticate`,
-`accounting` methods or the `%(ldap.memberof:)` xlat) the first operation the
+`accounting` methods or the `%ldap.memberof()` xlat) the first operation the
module performs it to populate `&control.LDAP-UserDN` with the location of
the authenticating user's object in LDAP.
}
----
-Group checks may be performed using the xlat `%(ldap.memberof:)`.
+Group checks may be performed using the xlat `%ldap.memberof()`.
[source,unlang]
----
...
recv Access-Request {
ldap
- if (%(ldap.memberof:cn=authorized_users,ou=groups,dc=example,dc=com) == true) {
+ if (%ldap.memberof(cn=authorized_users,ou=groups,dc=example,dc=com) == true) {
reject
}
...
allows the supplicant and server to negotiate a mutually acceptable
EAP type. If, however, you want to avoid the additional round trips
involved in that negotiation, you can use
-`%(aka_sim_id_method:%{User-Name})` in the top level virtual server,
+`%aka_sim_id_method(%{User-Name})` in the top level virtual server,
which will return the EAP method hinted by the identity, and then
set `&control.EAP-Type` to an appropriate value before calling the
EAP module.
values:
- The encrypt expansions of the `rlm_cipher` module.
-- The `%(3gpp_pseudonym_encrypt:)` expansion.
+- The `%3gpp_pseudonym_encrypt()` expansion.
- The `%randstr()` expansion.
NOTE: Add a `&reply.Next-Pseudonym-Id` attribute in this section to
Other modules could be used here.
-You can even invoke synchronous checks using the %(exec:...) xlat in
+You can even invoke synchronous checks using the %exec(...) xlat in
which case timeout should be set to less than the check trigger
interval to avoid buildup of checks when resources do not respond.
See rlm_exec for details.
[source,unlang]
----
group {
- &reply.Reply-Message += %(sql:SELECT ...)
+ &reply.Reply-Message += %sql("SELECT ...")
&reply.Filter-Id := "foo"
}
----
if (&User-Name == "bob") {
uint32 len
- &len := %(length:%{User-Name})
+ &len := %length(%{User-Name})
&Reply-Message := "Length of %{User-Name} is %{len}"
}
}
# "len" is created, and can now be used
- &len := %(length:%{User-Name})
+ &len := %length(%{User-Name})
&Reply-Message := "Length of %{User-Name} is %{len}"
}
----
-The variable declaration and assignment must be sepaarted. Constructions like `uint32 len = %(length:%{User-Name})` are not allowed.
+The variable declaration and assignment must be sepaarted. Constructions like `uint32 len = %length(%{User-Name})` are not allowed.
// Copyright (C) 2023 Network RADIUS SAS. Licenced under CC-by-NC 4.0.
// This documentation was developed by Network RADIUS SAS.
...
```
-=== %(debug_attr:<list:[index]>)
+=== %debug_attr(<list:[index]>)
Print to debug output all instances of current attribute, or all attributes in a list.
expands to a zero-length string.
----
recv Access-Request {
if (&request.User-Name == "bob") {
- "%(debug_attr:request[*])"
+ "%debug_attr(request[*])"
}
...
}
(0) &request.NAS-IP-Address = 127.0.1.1
(0) &request.NAS-Port = 1
(0) &request.Message-Authenticator = 0x9210ee447a9f4c522f5300eb8fc15e14
-(0) EXPAND %(debug_attr:request[*])
+(0) EXPAND %debug_attr(request[*])
(0) } # if (&request.User-Name == "bob") (...)
...
```
This expansion is only useful where the time resolution is in seconds.
If more resolution is needed, the xref:xlat/builtin.adoc[builtin]
-`%(time:...)` expansion should be used instead.
+`%time(...)` expansion should be used instead.
`%Y()`::
-------------------------------------------------------------------------------
bob Password.Cleartext := "hello"
- Callback-Id = "%(exec:/bin/echo Hello, there)"
+ Callback-Id = "%exec('/bin/echo', "Hello, there")
-------------------------------------------------------------------------------
The `echo` program may be in `/usr/bin/echo`, depending on your local system. On
(0) files : users: Matched entry bob at line 1
Executing: /bin/echo Hello, there:
Program returned code (0) and output 'Hello, there'
-(0) files : EXPAND %(exec:/bin/echo Hello, there)
+(0) files : EXPAND %exec('/bin/echo', "Hello, there")
(0) files : --> Hello, there
(0) [files] = ok
-------------------------------------------------------------------------------
first entry and should send another request with a different NAS-Port.
-------------------------------------------------------------------------------
-bob Password.Cleartext := "hello", NAS-Port == "%(exec:/usr/bin/id -u)"
+bob Password.Cleartext := "hello", NAS-Port == "%exec('/usr/bin/id', '-u')"
Reply-Message = "Your port is very nice.",
Session-Timeout = "%{60 * 60}"
-bob Password.Cleartext := "hello", NAS-Port != "%(exec:/usr/bin/id -u)"
+bob Password.Cleartext := "hello", NAS-Port != "%exec('/usr/bin/id', '-u')"
Reply-Message = "Your port is less nice.",
Session-Timeout = "%{60 * 2}"
-------------------------------------------------------------------------------
#
# May be an attribute reference, e.g. `&User-Name`, or `xlat`, `literal` or `exec`.
#
- reference = "messages.%{&reply.Packet-Type || default}"
+ reference = "messages.%{&reply.Packet-Type || 'default'}"
#
# messages { ... }::
permissions = 0600
}
- reference = "Accounting-Request.%{&Acct-Status-Type || unknown}"
+ reference = "Accounting-Request.%{&Acct-Status-Type || 'unknown'}"
#
# Example for `Accounting-Request`.
# TIP: We give both examples here, but *only one should be used*.
#
# local_cpw = %exec('/path/to/script', %mschap(User-Name), %{MS-CHAP-New-Password.Cleartext})
- local_cpw = %sql("UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'")
+# local_cpw = %sql("UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{User-Name}' and attribute='Password.NT'")
}
return RLM_MODULE_REJECT;
} else {
# Accept user and set some attribute
- if (&radiusd::xlat("%(client:group)") eq 'UltraAllInclusive') {
+ if (&radiusd::xlat("%client(group)") eq 'UltraAllInclusive') {
# User called from NAS with unlim plan set, set higher limits
$RAD_REPLY{'h323-credit-amount'} = "1000000";
} else {
# Outputs the contents of the control list in debugging (-X) mode
#
debug_control {
- if (%(debug_attr:control)) {
+ if (%debug_attr(control)) {
noop
}
}
# Outputs the contents of the request list in debugging (-X) mode
#
debug_request {
- if (%(debug_attr:request)) {
+ if (%debug_attr(request)) {
noop
}
}
# Outputs the contents of the reply list in debugging (-X) mode
#
debug_reply {
- if (%(debug_attr:reply)) {
+ if (%debug_attr(reply)) {
noop
}
}
# Outputs the contents of the session state list in debugging (-X) mode
#
debug_session_state {
- if (%(debug_attr:session-state)) {
+ if (%debug_attr(session-state)) {
noop
}
}
# an Operator-Name attribute
#
operator-name.authorize {
- if ("%(client:Operator-Name)") {
- &request.Operator-Name = "%(client:Operator-Name)"
+ if ("%client(Operator-Name)") {
+ &request.Operator-Name = "%client(Operator-Name)"
}
}
# allows the supplicant and server to negotiate a mutually acceptable
# EAP type. If, however, you want to avoid the additional round trips
# involved in that negotiation, you can use
- # `%(aka_sim_id_method:%{User-Name})` in the top level virtual server,
+ # `%aka_sim_id_method(%{User-Name})` in the top level virtual server,
# which will return the EAP method hinted by the identity, and then
# set `&control.EAP-Type` to an appropriate value before calling the
# EAP module.
# values:
#
# - The encrypt expansions of the `rlm_cipher` module.
- # - The `%(3gpp_pseudonym_encrypt:)` expansion.
+ # - The `%3gpp_pseudonym_encrypt()` expansion.
# - The `%randstr()` expansion.
#
# NOTE: Add a `&reply.Next-Pseudonym-Id` attribute in this section to
#
# Other modules could be used here.
#
- # You can even invoke synchronous checks using the %(exec:...) xlat in
+ # You can even invoke synchronous checks using the %exec(...) xlat in
# which case timeout should be set to less than the check trigger
# interval to avoid buildup of checks when resources do not respond.
# See rlm_exec for details.
projects / thirdparty / freeradius-server.git / commitdiff
