ProxySG Content Policy Language Guide
has_attribute.name=
Tests if the current transaction is authenticated in an LDAP realm and if the authenticated user has the specified LDAP attribute. If the attribute specified is not configured in the LDAP schema and yes is used in the expression, the condition always yields false. This trigger is unavailable if the current transaction is not authenticated (that is, the authenticate property is set to no).
If you reference more than one realm in your policy, consider disambiguating has_attribute tests by combining them with a realm= test. This reduces the number of extraneous queries to authentication services for attribute information that does not pertain to that realm.
Important: This condition is incompatible with Novell eDirectory servers. If the name attribute is configured in the LDAP schema, then all users are reported by the eDirectory server to have the attribute, regardless of whether they actually do. This can cause unpredictable results.
Syntax
has_attribute.name=yesno
where name is an LDAP attribute.
Layer and Transaction Notes
•Use in <Admin> and <Proxy> layers.
•Applies to proxy and administrate transactions.
•This condition cannot be combined with the authenticate( )or socks.authenticate( ) properties.
Example
;The following policy allows users to access the proxy if they have the
;LDAP attribute ProxyUser. The attribute could have any value, even null.
;Generally this kind of policy would be established in the first proxy layer,
;and would set up either the blacklist or whitelist model, as desired.
<proxy>
authenticate(LDAPRealm)
;Setting up a whitelist model <proxy>
deny has_attribute.ProxyUser=no
;Setting up a blacklist model <proxy>
allow has attribute.ProxyUser=yes deny
74
