Exported variables

Presentation

Exported variables are the variables available to write rules and headers. They are extracted from the users database by the users module.

To create a variable, you’ve just to map a user attributes in LL::NG using Variables » Exported variables. For each variable, the first field is the name which will be used in rules, macros or headers and the second field is the name of the user database field.

Examples for LDAP:

Variable name

LDAP attribute

uid

uid

number

employeeNumber

name

sn

You can define exported variables for each module in the module configuration itself. Variables defined in the main Exported variables will be used for each backend. Variables defined in the exported variables node of the module will be used only for that module.

Exported variables in the Manager

Tip

You can define environment variables in Exported variables, this allows one to populate user session with some environment values. Environment variables will not be queried in users database.

Extend variables using macros and groups

Macros and groups are calculated during authentication process by the portal:

  • macros are used to extend (or rewrite) exported variables. A macro is stored as attributes: it can contain boolean results or any string

  • macros can also be used to import environment variables (these variables are in CGI format). Example: $ENV{HTTP_COOKIE}

  • You can check for group membership of a particular user with the inGroup function, see examples below.

  • If you need more advanced processing of the group list (filtering, rewriting) you may use $groups, a flat list of all the user’s groups, separated by ‘’; ‘’ (default values separator). Or the $hGroups variable which is a perl hash whose keys are the group names.

Example for macros:

# boolean macro
isAdmin -> $uid eq 'foo' or $uid eq 'bar'
# other macro
displayName -> $givenName." ".$surName

# Use a boolean macro in a rule
^/admin -> $isAdmin
# Use a string macro in a HTTP header
Display-Name -> $displayName

Defining a group for admins

# group
admin -> $uid eq 'foo' or $uid eq 'bar'

Using groups in a rule

^/admin -> inGroup('admin')

# Advanced usage
^/admin -> defined $hGroups->{'admin'}
^/admin -> $groups =~ /\badmin\b/

Note

Groups are computed after macros, so a group rule may involve a macro value.

Warning

Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro “macro1” will be computed before macro “macro2”: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.

# Use a boolean macro in a rule ^/admin -> $isAdmin # Use a string macro in a HTTP header Display-Name -> $displayName

Defining a group for admins

# group
admin -> $uid eq 'foo' or $uid eq 'bar'

Using groups in a rule

^/admin -> $groups =~ /\badmin\b/

# Or with hGroups
^/admin -> defined $hGroups->{'admin'}

# Since 2.0.8
^/admin -> inGroup('admin')

Note

Groups are computed after macros, so a group rule may involve a macro value.

Warning

Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro “macro1” will be computed before macro “macro2”: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.