On Mon, 9 Sep 2002, Allister Maguire wrote:
> Hello,
>
> I am using FreeRadius v0.7 with rlm_ldap and get this error for all
> check items: "Mon Sep 9 10:16:53 2002 : Error: Invalid operator for
> item NAS-Port-Type: 11 reverting to '=='".
>
> I have looked through the code and found what I think is the cause:
>
> static VALUE_PAIR *
> ldap_pairget(LDAP * ld, LDAPMessage * entry,
> TLDAP_RADIUS * item_map, VALUE_PAIR **pairs)
> {
>
> ........
>
> } else {
> /* this is a one-to-one-mapped attribute */
> token = gettoken(&ptr, value, sizeof(value));
> if (token < T_EQSTART || token > T_EQEND) {
> token = T_OP_EQ;
> } else {
> gettoken(&ptr, value, sizeof(value));
> }
>
> ........
>
> }
>
> After reading the man on "users" it says:
> "Attribute = Value"
> Not allowed as a check item.
> As a reply item, it means "add the item to the reply list, but only if
> there is no other item of the same attribute."
>
> This means line "token = T_OP_EQ;" should be for checkItems "token =
> T_OP_CMP_EQ;", " == " (as a default). But because ldap_pairget() is used
> for replyItems also, therefore it will need to "token = T_OP_EQ;" for
> replyItems.
>
> Now then what would be the best way to solve it, I thought a simple way
> might be to pass what type of pairs they are to ldap_pairget(), check or
> reply and put a if statement around "token = T_OP_EQ;" eg:
>
> if (strcasecmp(itemType, "checkItem") == 0) {
> token = T_OP_CMD_EQ;
> }
> Else {
> token = T_OP_EQ;
> }
OK, I 've changed the code a little based on your idea. If we add check items
then we use the '==' operator.
>
> It works correctly as it is, but the log has these error for every auth
> attempt. My guess is that the comparing of attributes would be done by
> the same piece of code for all modules, there is documented conventions
> for operator type, should the rlm_ldap module follow those conventions
> as well?
>
> Also because there are other operators that could also be used, maybe a
> better option in the future might be specifying the operator in
> "ldap.attrmap" for each item?
You can add an operator in the attribute ldap value. Something like
radiusAuthType: := Local
should work (although I haven't tested it). I think that the defaults are quite
fine.
>
> Regards
> Allister Maguire
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 10 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
