ProxySG Content Policy Language Guide
74
has_attribute.name=Tests if the current transaction is authenticated in an LDAP realm and if the authenticated user has the
specified LDAP attribute. If the attribute specified is not configured in the LDAP schema and yes is
used in the expression, the condition always yields false. This trigger is unavailable if the current
transaction is not authenticated (that is, the authenticate property is set to no).
If you reference more than one realm in your policy, consider disambiguating has_attribute tests by
combining them with a realm= test. This reduces the number of extraneous queries to authentication
services for attribute information that does not pertain to that realm.
Important: This condition is incompatible with Novell eDirectory servers. If the name attribute is
configured in the LDAP schema, then all users are reported by the eDirectory server to
have the attribute, regardless of whether they actually do. This can cause unpredictable
results.
Syntax
has_attribute.name=yes|no
where name is an LDAP attribute. Case-sensitivity for the attribute name depends on the realm
definition in configuration.
Layer and Transaction Notes
•Use in <Admin> and <Proxy> layers.
• Applies to proxy and administrate transactions.
• This condition cannot be combined with the authenticate( )or socks.authenticate( )
properties.
Example
; The following policy allows users to access the proxy if they have the
; LDAP attribute ProxyUser. The attribute could have any value, even null.
; Generally this kind of policy would be established in the first proxy layer,
; and would set up either the blacklist or whitelist model, as desired.
<proxy>
authenticate(LDAPRealm)
; Setting up a whitelist model
<proxy>
deny has_attribute.ProxyUser=no
; Setting up a blacklist model
<proxy>
allow has attribute.ProxyUser=yes
deny