Table of Contents
List of Examples
db_url parametertable parameteruser_column parameterdomain_column parametergroup_column parameteruse_domain parameterre_table parameterreg_exp_column parameterre_gid_column parametermultiple_gid parameteris_user_in usageget_user_group usageTable of Contents
This module provides functionalities for different methods of group membership checking.
There is a database table that contains list of users and groups they belong to. The module provides the possibility to check if a specific user belongs to a specific group.
There is no DB caching support, each check involving a DB query.
Another database table contains list of regular expressions and group IDs. A matching occurs if the user URI match the regular expression. This type of matching may be used to fetch the group ID(s) the user belongs to (via RE matching) .
Due performance reasons (regular expression evaluation), DB cache support is available: the table content is loaded into memory at startup and all regular expressions are compiled.
The following modules must be loaded before this module:
A database module, like mysql, postgres or dbtext
URL of the database table to be used.
Default value is “mysql://openserro:openserro@localhost/openser”.
Example 1.1. Set db_url parameter
...
modparam("group", "db_url", "mysql://username:password@dbhost/openser")
...
Name of the table holding strict definitions of groups and their members.
Default value is “grp”.
Name of the “table” column holding usernames.
Default value is “username”.
Name of the “table” column holding domains.
Default value is “domain”.
Name of the “table” column holding groups.
Default value is “grp”.
If enabled (set to non zero value) then domain will be used also used for strict group matching; otherwise only the username part will be used.
Default value is 0 (no).
Name of the table holding definitions for regular-expression based groups. If no table is defined, the regular-expression support is disabled.
Default value is “NULL”.
Name of the “re_table” column holding the regular expression used for user matching.
Default value is “reg_exp”.
Name of the “re_table” column holding the group IDs.
Default value is “group_id”.
This function is to be used for script group membership. The function returns true if username in the given URI is member of the given group and false if not.
Meaning of the parameters is as follows:
URI - URI whose username and optionally domain to be used, this can be one of:
Request-URI - Use Request-URI username and (optionally) domain.
To - Use To username and (optionally) domain.
From - Use From username and (optionally) domain.
Credentials - Use digest credentials username.
$avp(name) - Use the URI from the AVP specified by this pseudo-variable.
group - Name of the group to check.
This function can be used from REQUEST_ROUTE and FAILURE_ROUTE.
This function is to be used for regular expression based group membership. The function returns true if username in the given URI belongs to at least one group; the group ID(s) are returned as AVPs.
Meaning of the parameters is as follows:
URI - URI to be matched against the regular expressions:
Request-URI - Use Request-URI
To - Use To URI.
From - Use From URI
Credentials - Use digest credentials username and realm.
$avp(name) - Use the URI from the AVP specified by this pseudo-variable.
AVP - $avp(name) - the matched group IDs are returned in this AVP.
This function can be used from REQUEST_ROUTE and FAILURE_ROUTE.
Example 1.12. get_user_group usage
...
if (get_user_group("Request-URI", "$avp(i:10)")) {
xgdb("User $ru belongs to $(avp(i:10)[*]) group(s)\n");
....
};
...