Hello,
I am using FreeRadius v0.7 with rlm_ldap and get this error for all
check items: "Mon Sep 9 10:16:53 2002 : Error: Invalid operator for
item NAS-Port-Type: 11 reverting to '=='".
I have looked through the code and found what I think is the cause:
static VALUE_PAIR *
ldap_pairget(LDAP * ld, LDAPMessage * entry,
TLDAP_RADIUS * item_map, VALUE_PAIR **pairs)
{
........
} else {
/* this is a one-to-one-mapped attribute */
token = gettoken(&ptr, value, sizeof(value));
if (token < T_EQSTART || token > T_EQEND) {
token = T_OP_EQ;
} else {
gettoken(&ptr, value, sizeof(value));
}
........
}
After reading the man on "users" it says:
"Attribute = Value"
Not allowed as a check item.
As a reply item, it means "add the item to the reply list, but only if
there is no other item of the same attribute."
This means line "token = T_OP_EQ;" should be for checkItems "token =
T_OP_CMP_EQ;", " == " (as a default). But because ldap_pairget() is used
for replyItems also, therefore it will need to "token = T_OP_EQ;" for
replyItems.
Now then what would be the best way to solve it, I thought a simple way
might be to pass what type of pairs they are to ldap_pairget(), check or
reply and put a if statement around "token = T_OP_EQ;" eg:
if (strcasecmp(itemType, "checkItem") == 0) {
token = T_OP_CMD_EQ;
}
Else {
token = T_OP_EQ;
}
It works correctly as it is, but the log has these error for every auth
attempt. My guess is that the comparing of attributes would be done by
the same piece of code for all modules, there is documented conventions
for operator type, should the rlm_ldap module follow those conventions
as well?
Also because there are other operators that could also be used, maybe a
better option in the future might be specifying the operator in
"ldap.attrmap" for each item?
Regards
Allister Maguire
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
