From: Alan T. DeKok Date: Sat, 30 Sep 2023 16:49:06 +0000 (-0400) Subject: more move docs and examples to new function syntax X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c5a47c8b3df9da84b81d69208b6b85883b8fd1f;p=thirdparty%2Ffreeradius-server.git more move docs and examples to new function syntax --- diff --git a/doc/antora/modules/raddb/pages/mods-available/always.adoc b/doc/antora/modules/raddb/pages/mods-available/always.adoc index 8861397a4ab..51cfc9a8637 100644 --- a/doc/antora/modules/raddb/pages/mods-available/always.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/always.adoc @@ -60,9 +60,9 @@ returned by the instance. .Example ``` -%{db_status:ok} -%{db_status:fail} -%{db_status:notfound} +%db_status(ok) +%db_status(fail) +%db_status(notfound) ... ``` @@ -72,7 +72,7 @@ current status without affecting it call the xlat with an empty argument: .Example ``` -%{db_status:} +%db_status() ``` diff --git a/doc/antora/modules/raddb/pages/mods-available/cache.adoc b/doc/antora/modules/raddb/pages/mods-available/cache.adoc index a5d7d16d2dc..d92c55fdebe 100644 --- a/doc/antora/modules/raddb/pages/mods-available/cache.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/cache.adoc @@ -144,25 +144,67 @@ max_entries:: Maximum entries allowed. -update { ... }:: The list of attributes to cache for a particular key. +update { ... }:: The attributes to cache for a particular key. -Each key gets the same set of cached attributes. The attributes -are dynamically expanded at run time. +Each key gets the same set of cached attributes. -The semantics of this construct are identical to an `unlang` -update block, except the left hand side of the expression -represents the cache entry. see man unlang for more information -on update blocks. +The operation of the `update` section is a little different +from normal `update` sections. This is because we need to +both reference the attributes which we want to store in the +cache, and also to describe where those attributes are +written to when the cache entry is read. -NOTE: Only `request`, `reply`, `control` and `session-state` lists -are available in cache entries. Attempting to store attributes -in other lists *will raise an error* during config validation. +The solution (albeit an imperfect one) is that the cache +does not store attributes, it stores `update` sections. +The `update` section given below is used as a template +for the cache entry. + +When the cache entry is created, the right-hand side of +each attribute assignment line is expanded. The left-hand +side of the attribute assignment is left alone. + +Once all of the right-hand side values are expanded, the +result is an `update` section with left-hand side +assignments, and right-hand side values. That `update` +section is then cached, indexed by the `key` + +When the cache entry is read, it is looked up by the `key`, +and the cached `update` section is found. This cache entry +now has left-hand side assignments, and right-hand side +values. It is then applied to the current request. + +For example, if the `cache` module is configured with the +block below: + +update { + &reply.Reply-Message := "Hello %{User-Name}" +} + +When the cache entry is created, the module will expand the +right side of the entry, using the attributes from the +packet. In this case, the string could expand to `"Hello bob"`. + +Once all of the right-hand values are expanded, the +resulting cache entry will look like this: + +update { + &reply.Reply-Message := "Hello bob" +} + +When the cache module is read, this `update` section is +applied just as if it had been specified in a configuration +file. + +NOTE: Only `request`, `reply`, `control` and +`session-state` lists are available for the left side of +cache entries. Attempting to reference other lists *will +raise an error* during config validation. . :: -Cache all instances of `Reply-Message in the reply list. +Cache all instances of `link:https://freeradius.org/rfc/rfc2865.html#Reply-Message[Reply-Message]` in the reply list. Add our own to show when the cache was last updated. @@ -324,9 +366,9 @@ cache { # memcached { # options = "--SERVER=localhost" # pool { -# start = 0 -# min = 0 -# max = +# start = 0 +# min = 0 +# max = # spare = 1 # uses = 0 # lifetime = 0 @@ -339,9 +381,9 @@ cache { # password = 'supersecret' # database = 0 # pool { -# start = 0 -# min = 0 -# max = + start = 0 + min = 0 +# max = # spare = 1 # uses = 0 # lifetime = 0 @@ -354,8 +396,8 @@ cache { # max_entries = 0 update { &reply.Reply-Message := &reply.Reply-Message - &reply.Reply-Message := "Cache last updated at %t" - &reply.Class := "%{randstr:ssssssssssssssssssssssssssssssss}" + &reply.Reply-Message += "Cache last updated at %t" + &reply.Class := "%randstr(ssssssssssssssssssssssssssssssss)" } } ``` diff --git a/doc/antora/modules/raddb/pages/mods-available/couchbase.adoc b/doc/antora/modules/raddb/pages/mods-available/couchbase.adoc index 94c427161d5..47d6f2207b2 100644 --- a/doc/antora/modules/raddb/pages/mods-available/couchbase.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/couchbase.adoc @@ -105,10 +105,11 @@ modules, for all kinds of connection-related activity. start:: Connections to create during module instantiation. -If the server cannot create specified number of connections -during instantiation it will exit. -Set to `0` to allow the server to start without the couchbase -being available. + +If the server cannot create specified number of +connections during instantiation it will exit. +Set to `0` to allow the server to start without the +external service being available. @@ -121,13 +122,16 @@ max:: Maximum number of connections. If these connections are all in use and a new one is requested, the request will NOT get a connection. -Setting `max` to LESS than the number of threads means +Setting `max` to *LESS* than the number of threads means that some threads may starve, and you will see errors -like '_No connections available and at max connection limit_' +like _No connections available and at max connection limit_. Setting `max` to MORE than the number of threads means that there are more connections than necessary. +If `max` is not specified, then it defaults to the number +of workers configured. + spare:: Spare connections to be left idle. @@ -218,7 +222,7 @@ couchbase { &Acct-Output-Gigawords = 'outputGigawords' &Event-Timestamp = 'lastUpdated' } - user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}" + user_key = "raduser_%md5(%tolower(%{%{Stripped-User-Name}:-%{User-Name}}))" # read_clients = no client { view = "_design/client/_view/by_id" diff --git a/doc/antora/modules/raddb/pages/mods-available/date.adoc b/doc/antora/modules/raddb/pages/mods-available/date.adoc index edae92b431f..135ecb4d1fd 100644 --- a/doc/antora/modules/raddb/pages/mods-available/date.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/date.adoc @@ -50,19 +50,19 @@ Use e.g. `%date_iso(request):` ### xlat expansions -The `date` module defines an expansion `%{date:}` When the +The `date` module defines an expansion `%date()` When the expansion is not passed an argument, it returns the current date printed according to the `format` string defined above. ."Attribute" mode: -If the argument to `%{date:...}` is an attribute of `date` or +If the argument to `%date(...)` is an attribute of `date` or `integer` type, the date used will be the time given by the relevant attribute. If the attributes is of type `string`, the string will be parsed according to the `format` configuration, and a Unix date will be returned, as integer seconds since the epoch. -For example, `%{date:&Event-Timestamp}` will use the date from the +For example, `%date(&Event-Timestamp)` will use the date from the `link:https://freeradius.org/rfc/rfc2869.html#Event-Timestamp[Event-Timestamp]` attribute as the source of the date for printing. ."Get time" mode: @@ -78,11 +78,11 @@ If the input string begins with `+`, then the remainder of the string is interpreted as if the string had been given in the `format` configuration item. -For example `%{date:'+%A'}` will return `Monday` if today is Monday. +For example `%date('+%A')` will return `Monday` if today is Monday. Note that the `%` character is special for xlat expansions, and therefore either has to be "protected" by string quotation, or the `%` character has -to be escaped itself, as in `%{date:+%%A}` +to be escaped itself, as in `%date(+%%A)` ."Integer output" diff --git a/doc/antora/modules/raddb/pages/mods-available/eap.adoc b/doc/antora/modules/raddb/pages/mods-available/eap.adoc index 49a11a9e237..0c7b37b22cf 100644 --- a/doc/antora/modules/raddb/pages/mods-available/eap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/eap.adoc @@ -1324,7 +1324,7 @@ eap { ca_file = ${cadir}/rsa/ca.pem # psk_identity = "test" # psk_hexphrase = "036363823" -# psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" +# psk_query = "%sql(select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}')" dh_file = ${certdir}/dh # fragment_size = 1024 ca_path = ${cadir} diff --git a/doc/antora/modules/raddb/pages/mods-available/exec.adoc b/doc/antora/modules/raddb/pages/mods-available/exec.adoc index cb73349015a..bcad916ce06 100644 --- a/doc/antora/modules/raddb/pages/mods-available/exec.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/exec.adoc @@ -10,15 +10,25 @@ This module provides an `xlat`. To use it, put `exec` into the `instantiate` section. You can then do dynamic translation of attributes like: - Attribute-Name = "%exec(/path/to/program,args, ...)" + Attribute-Name = %exec(/path/to/program,args, ...) + +The output of `exec` is interpreted as the data type of the attribute. + +The output of `exec` can even be pairs, such as `User-Name = foo`. +Those pairs can be assigned to a list. If the program fails, it +will output nothing. + +Note that when the assignment is to a list, the `exec` call _must_ be +inside of a double-quoted string. + + &request += "%exec(/path/to/program,args, ...)" The value of the attribute will be replaced with the output of the -program which is executed. Due to RADIUS protocol limitations, -any output over `253` bytes will be ignored. +program which is executed. -The RADIUS attributes from the list referenced in the `input_pairs` +The attributes from the list referenced in the `input_pairs` configuraton item will be placed into environment variables of the executed -program, as described in `man unlang` and in `doc/unlang/xlat.adoc` +program. Alternatively, by setting the `program` item of the module configuration, the module can be called as a module rather than as an xlat function. diff --git a/doc/antora/modules/raddb/pages/mods-available/idn.adoc b/doc/antora/modules/raddb/pages/mods-available/idn.adoc index 2fced714759..51163e1c498 100644 --- a/doc/antora/modules/raddb/pages/mods-available/idn.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/idn.adoc @@ -9,7 +9,7 @@ standardized in https://tools.ietf.org/html/rfc3490[RFC 3490]. [NOTE] ==== -The expansion string: `%{idn:example.com}` results in an ASCII +The expansion string: `%idn(example.com)` results in an ASCII punycode version of the domain name. That version can then be used for name comparisons. Using an `i18n` version of the name is *NOT RECOMMENDED*, as that version is not canonical. diff --git a/doc/antora/modules/raddb/pages/mods-available/json.adoc b/doc/antora/modules/raddb/pages/mods-available/json.adoc index d23adb426a0..781adb23cac 100644 --- a/doc/antora/modules/raddb/pages/mods-available/json.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/json.adoc @@ -145,7 +145,7 @@ strings. rlm_json provides the below xlat functions to handle the JSON documents. -### %{json_jpath_validate:...} +### %json_jpath_validate(...) Determine if a jpath expression is valid. @@ -158,7 +158,7 @@ NOTE: Validate parser for everything except unions and expressions. [source,unlang] ---- &control.Tmp-String-0 := '$.my.json.payload[1]' -&reply.Reply-Message := "Validation of %{control.Tmp-String-0} is %{json_jpath_validate:$.my.json.payload[1]}" +&reply.Reply-Message := "Validation of %{control.Tmp-String-0} is %json_jpath_validate($.my.json.payload[1])" ---- .Output @@ -167,7 +167,7 @@ NOTE: Validate parser for everything except unions and expressions. Validation of $.my.json.payload[1] is 20:$.my.json.payload[1] ``` -### %{json_quote:...} +### %json_quote(...) Escapes string for use as a JSON string. @@ -178,7 +178,7 @@ Escapes string for use as a JSON string. [source,unlang] ---- &control.Tmp-String-0 := "caipirinha/gelada" -&reply.Reply-Message := "The string %{control.Tmp-String-0} should be %{json_quote:%{control.Tmp-String-0}} to be a valid JSON string." +&reply.Reply-Message := "The string %{control.Tmp-String-0} should be %json_quote(%{control.Tmp-String-0}) to be a valid JSON string." ---- .Output @@ -187,7 +187,7 @@ Escapes string for use as a JSON string. The string caipirinha/gelada should be caipirinha\\/gelada to be a valid JSON string. ``` -### %{json.encode:...} +### %json.encode(...) Generates a JSON document from a given list of attribute templates. The format of document generated can be controlled with the 'encode' section in @@ -210,7 +210,7 @@ it, `link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` and `lin .Example ``` -%{json.encode:&User-Name &Calling-Station-Id} +%json.encode(&User-Name, &Calling-Station-Id) ``` The following will include all attributes in the RADIUS request, except for @@ -219,7 +219,7 @@ The following will include all attributes in the RADIUS request, except for .Example ``` -%{json.encode:&request[*] !&User-Password} +%json.encode(&request[*], !&User-Password) ``` In another (contrived) example, all the attributes in the RADIUS request will @@ -229,7 +229,7 @@ be included in the document, _except_ any attributes in the RADIUS reply. .Example ``` -%{json.encode:&request[*] !&reply[*] &control.User-Name} +%json.encode(&request[*], !&reply[*], &control.User-Name) ``` #### Output format modes diff --git a/doc/antora/modules/raddb/pages/mods-available/ldap.adoc b/doc/antora/modules/raddb/pages/mods-available/ldap.adoc index 2514295c3bf..209402481fb 100644 --- a/doc/antora/modules/raddb/pages/mods-available/ldap.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/ldap.adoc @@ -744,7 +744,7 @@ binds which there can be on a single thread. The rlm_ldap provides the below xlat's functions. -### %{ldap_escape:...} +### %ldap_escape(...} Escape a string for use in an LDAP filter or DN. @@ -758,7 +758,7 @@ update control { &Tmp-String-0 := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)" } update reply { - &Reply-Message := "The LDAP url is %{ldap_escape:%{control.Tmp-String-0}}" + &Reply-Message := "The LDAP url is %ldap_escape(%{control.Tmp-String-0}}" } ---- @@ -768,7 +768,7 @@ update reply { "The LDAP url is ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29" ``` -### %{ldap_unescape:...} +### %ldap_unescape(...) Unescape a string for use in an LDAP filter or DN. @@ -782,7 +782,7 @@ update control { &Tmp-String-0 := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29" } update reply { - &Reply-Message := "The LDAP url is %{ldap_unescape:%{control.Tmp-String-0}}" + &Reply-Message := "The LDAP url is %ldap_unescape(%{control.Tmp-String-0})" } ---- @@ -862,7 +862,7 @@ ldap { # attribute_suspended = 'radiusProfileDn' } accounting { - reference = "%{tolower:type.%{Acct-Status-Type}}" + reference = "%tolower(type.%{Acct-Status-Type})" type { start { update { diff --git a/doc/antora/modules/raddb/pages/mods-available/unix.adoc b/doc/antora/modules/raddb/pages/mods-available/unix.adoc index a8919a28116..98ecf560632 100644 --- a/doc/antora/modules/raddb/pages/mods-available/unix.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/unix.adoc @@ -21,7 +21,7 @@ with `CHAP`, `MS-CHAP`, `PEAP`, etc*. The module also registers a Unix group expansion, where it is possible to check if the user is a member of a particular Unix group. - if (%{unix.group: admin}) { ... + if (%unix.group(admin)) { ... The expansion returns `true` if the `link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` is a membber of the given group, and `false` otherwise. diff --git a/doc/antora/modules/raddb/pages/mods-available/winbind.adoc b/doc/antora/modules/raddb/pages/mods-available/winbind.adoc index 8d0d5e40977..3aaf613e994 100644 --- a/doc/antora/modules/raddb/pages/mods-available/winbind.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/winbind.adoc @@ -37,7 +37,7 @@ actually want it blank it should be explicitly set here. group { ... }:: Group membership checking. -Groups can be checked via the expansion `%{winbind.group:}` +Groups can be checked via the expansion `%winbind.group()` search_username:: AD username to search for group searches. diff --git a/doc/antora/modules/raddb/pages/mods-available/yubikey.adoc b/doc/antora/modules/raddb/pages/mods-available/yubikey.adoc index d4053f06dfe..fce04f5895d 100644 --- a/doc/antora/modules/raddb/pages/mods-available/yubikey.adoc +++ b/doc/antora/modules/raddb/pages/mods-available/yubikey.adoc @@ -153,14 +153,12 @@ Must be set to your API key for the validation server. pool { ... }:: Connection pool parameters. -start:: +start:: Connections to create during module instantiation. -Connections to create during module instantiation. If the server cannot create specified number of connections during instantiation it will exit. - Set to `0` to allow the server to start without the -winbind daemon being available. +external service being available. @@ -173,13 +171,15 @@ max:: Maximum number of connections. If these connections are all in use and a new one is requested, the request will NOT get a connection. -Setting `max` to LESS than the number of threads means +Setting `max` to *LESS* than the number of threads means that some threads may starve, and you will see errors -like 'No connections available and at max connection limit' +like _No connections available and at max connection limit_. Setting `max` to MORE than the number of threads means that there are more connections than necessary. +If `max` is not specified, then it defaults to the number +of workers configured. uses:: Number of uses before the connection is closed. @@ -237,7 +237,7 @@ increase lifetime/idle_timeout. The rlm_yubikey provides the below xlat's functions. -### %{modhextohex:...} +### %modhextohex(...) Convert Yubikey modhex to standard hex. @@ -247,7 +247,7 @@ Convert Yubikey modhex to standard hex. [source,unlang] ---- -"%{modhextohex:vvrbuctetdhc}" == "ffc1e0d3d260" +"%modhextohex(vvrbuctetdhc)" == "ffc1e0d3d260" ---- .Output @@ -274,9 +274,9 @@ yubikey { # client_id = 00000 # api_key = '000000000000000000000000' pool { - start = 0 - min = 0 -# max = + start = 0 + min = 0 +# max = uses = 0 retry_delay = 30 lifetime = 86400 diff --git a/raddb/mods-available/always b/raddb/mods-available/always index e846d95d573..2839869069a 100644 --- a/raddb/mods-available/always +++ b/raddb/mods-available/always @@ -68,9 +68,9 @@ # .Example # # ``` -# %{db_status:ok} -# %{db_status:fail} -# %{db_status:notfound} +# %db_status(ok) +# %db_status(fail) +# %db_status(notfound) # ... # ``` # @@ -80,7 +80,7 @@ # .Example # # ``` -# %{db_status:} +# %db_status() # ``` # diff --git a/raddb/mods-available/cache b/raddb/mods-available/cache index bb669527465..a5314d938d3 100644 --- a/raddb/mods-available/cache +++ b/raddb/mods-available/cache @@ -248,7 +248,7 @@ cache { &reply.Reply-Message += "Cache last updated at %t" # Add your own value for `Class`. - &reply.Class := "%{randstr:ssssssssssssssssssssssssssssssss}" + &reply.Class := "%randstr(ssssssssssssssssssssssssssssssss)" } # diff --git a/raddb/mods-available/couchbase b/raddb/mods-available/couchbase index f9949a8918b..c4bd339c110 100644 --- a/raddb/mods-available/couchbase +++ b/raddb/mods-available/couchbase @@ -109,7 +109,7 @@ couchbase { # # user_key:: Couchbase document key for user documents (`unlang` supported). # - user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}" + user_key = "raduser_%md5(%tolower(%{%{Stripped-User-Name}:-%{User-Name}}))" # # read_clients:: Set to `yes` to read radius clients from the Couchbase view specified below. diff --git a/raddb/mods-available/date b/raddb/mods-available/date index 2e7f8b511e0..f24aa824904 100644 --- a/raddb/mods-available/date +++ b/raddb/mods-available/date @@ -61,19 +61,19 @@ date date_iso { # # ### xlat expansions # -# The `date` module defines an expansion `%{date:}` When the +# The `date` module defines an expansion `%date()` When the # expansion is not passed an argument, it returns the current date # printed according to the `format` string defined above. # # ."Attribute" mode: # -# If the argument to `%{date:...}` is an attribute of `date` or +# If the argument to `%date(...)` is an attribute of `date` or # `integer` type, the date used will be the time given by the # relevant attribute. If the attributes is of type `string`, the # string will be parsed according to the `format` configuration, # and a Unix date will be returned, as integer seconds since the epoch. # -# For example, `%{date:&Event-Timestamp}` will use the date from the +# For example, `%date(&Event-Timestamp)` will use the date from the # `Event-Timestamp` attribute as the source of the date for printing. # # ."Get time" mode: @@ -89,11 +89,11 @@ date date_iso { # string is interpreted as if the string had been given in the # `format` configuration item. # -# For example `%{date:'+%A'}` will return `Monday` if today is Monday. +# For example `%date('+%A')` will return `Monday` if today is Monday. # # Note that the `%` character is special for xlat expansions, and therefore # either has to be "protected" by string quotation, or the `%` character has -# to be escaped itself, as in `%{date:+%%A}` +# to be escaped itself, as in `%date(+%%A)` # # ."Integer output" # diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 4374f244e70..c9a11bfa5e4 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -477,7 +477,7 @@ eap { # Note that this query is just an example. You will # need to customize it for your installation. # -# psk_query = "%{sql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" +# psk_query = "%sql(select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}')" # # For DH cipher suites to work, you have to run OpenSSL to diff --git a/raddb/mods-available/idn b/raddb/mods-available/idn index 99f28ad5dbc..035e59e9ca5 100644 --- a/raddb/mods-available/idn +++ b/raddb/mods-available/idn @@ -12,7 +12,7 @@ # # [NOTE] # ==== -# The expansion string: `%{idn:example.com}` results in an ASCII +# The expansion string: `%idn(example.com)` results in an ASCII # punycode version of the domain name. That version can then be used # for name comparisons. Using an `i18n` version of the name is *NOT # RECOMMENDED*, as that version is not canonical. diff --git a/raddb/mods-available/json b/raddb/mods-available/json index d92a744fc1f..85e135e6c9b 100644 --- a/raddb/mods-available/json +++ b/raddb/mods-available/json @@ -162,7 +162,7 @@ json { # # rlm_json provides the below xlat functions to handle the JSON documents. # -# ### %{json_jpath_validate:...} +# ### %json_jpath_validate(...) # # Determine if a jpath expression is valid. # @@ -175,7 +175,7 @@ json { # [source,unlang] # ---- # &control.Tmp-String-0 := '$.my.json.payload[1]' -# &reply.Reply-Message := "Validation of %{control.Tmp-String-0} is %{json_jpath_validate:$.my.json.payload[1]}" +# &reply.Reply-Message := "Validation of %{control.Tmp-String-0} is %json_jpath_validate($.my.json.payload[1])" # ---- # # .Output @@ -184,7 +184,7 @@ json { # Validation of $.my.json.payload[1] is 20:$.my.json.payload[1] # ``` # -# ### %{json_quote:...} +# ### %json_quote(...) # # Escapes string for use as a JSON string. # @@ -195,7 +195,7 @@ json { # [source,unlang] # ---- # &control.Tmp-String-0 := "caipirinha/gelada" -# &reply.Reply-Message := "The string %{control.Tmp-String-0} should be %{json_quote:%{control.Tmp-String-0}} to be a valid JSON string." +# &reply.Reply-Message := "The string %{control.Tmp-String-0} should be %json_quote(%{control.Tmp-String-0}) to be a valid JSON string." # ---- # # .Output @@ -204,7 +204,7 @@ json { # The string caipirinha/gelada should be caipirinha\\/gelada to be a valid JSON string. # ``` # -# ### %{json.encode:...} +# ### %json.encode(...) # # Generates a JSON document from a given list of attribute templates. The # format of document generated can be controlled with the 'encode' section in @@ -227,7 +227,7 @@ json { # .Example # # ``` -# %{json.encode:&User-Name &Calling-Station-Id} +# %json.encode(&User-Name, &Calling-Station-Id) # ``` # # The following will include all attributes in the RADIUS request, except for @@ -236,7 +236,7 @@ json { # .Example # # ``` -# %{json.encode:&request[*] !&User-Password} +# %json.encode(&request[*], !&User-Password) # ``` # # In another (contrived) example, all the attributes in the RADIUS request will @@ -246,7 +246,7 @@ json { # .Example # # ``` -# %{json.encode:&request[*] !&reply[*] &control.User-Name} +# %json.encode(&request[*], !&reply[*], &control.User-Name) # ``` # # #### Output format modes diff --git a/raddb/mods-available/ldap b/raddb/mods-available/ldap index 85b23957e1d..ab1a058e68a 100644 --- a/raddb/mods-available/ldap +++ b/raddb/mods-available/ldap @@ -555,7 +555,7 @@ ldap { # replaced with a single attribute. # accounting { - reference = "%{tolower:type.%{Acct-Status-Type}}" + reference = "%tolower(type.%{Acct-Status-Type})" type { start { @@ -832,7 +832,7 @@ ldap { # manage_interval = 0.2 # - # request:: Options specific to requests handled by this connection pool + # request:: Options specific to requests handled by this connection pool # request { # @@ -884,7 +884,7 @@ ldap { # # The rlm_ldap provides the below xlat's functions. # -# ### %{ldap_escape:...} +# ### %ldap_escape(...} # # Escape a string for use in an LDAP filter or DN. # @@ -898,7 +898,7 @@ ldap { # &Tmp-String-0 := "ldap:///ou=profiles,dc=example,dc=com??sub?(objectClass=radiusprofile)" # } # update reply { -# &Reply-Message := "The LDAP url is %{ldap_escape:%{control.Tmp-String-0}}" +# &Reply-Message := "The LDAP url is %ldap_escape(%{control.Tmp-String-0}}" # } # ---- # @@ -908,7 +908,7 @@ ldap { # "The LDAP url is ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29" # ``` # -# ### %{ldap_unescape:...} +# ### %ldap_unescape(...) # # Unescape a string for use in an LDAP filter or DN. # @@ -922,7 +922,7 @@ ldap { # &Tmp-String-0 := "ldap:///ou=profiles,dc=example,dc=com??sub?\28objectClass=radiusprofile\29" # } # update reply { -# &Reply-Message := "The LDAP url is %{ldap_unescape:%{control.Tmp-String-0}}" +# &Reply-Message := "The LDAP url is %ldap_unescape(%{control.Tmp-String-0})" # } # ---- # diff --git a/raddb/mods-available/unix b/raddb/mods-available/unix index 864885f9fde..0529fa24c9c 100644 --- a/raddb/mods-available/unix +++ b/raddb/mods-available/unix @@ -24,7 +24,7 @@ # The module also registers a Unix group expansion, where it is possible # to check if the user is a member of a particular Unix group. # -# if (%{unix.group: admin}) { ... +# if (%unix.group(admin)) { ... # # The expansion returns `true` if the `User-Name` is a membber of the given # group, and `false` otherwise. diff --git a/raddb/mods-available/winbind b/raddb/mods-available/winbind index e12113c00e3..f9703a724d0 100644 --- a/raddb/mods-available/winbind +++ b/raddb/mods-available/winbind @@ -43,7 +43,7 @@ winbind { # # group { ... }:: Group membership checking. # - # Groups can be checked via the expansion `%{winbind.group:}` + # Groups can be checked via the expansion `%winbind.group()` # group { # diff --git a/raddb/mods-available/yubikey b/raddb/mods-available/yubikey index aa7cba2766d..f63d2322eba 100644 --- a/raddb/mods-available/yubikey +++ b/raddb/mods-available/yubikey @@ -265,7 +265,7 @@ yubikey { # # The rlm_yubikey provides the below xlat's functions. # -# ### %{modhextohex:...} +# ### %modhextohex(...) # # Convert Yubikey modhex to standard hex. # @@ -275,7 +275,7 @@ yubikey { # # [source,unlang] # ---- -# "%{modhextohex:vvrbuctetdhc}" == "ffc1e0d3d260" +# "%modhextohex(vvrbuctetdhc)" == "ffc1e0d3d260" # ---- # # .Output