Behavior for rlm_ldap module

Fri, 12 Mar 2004 05:26:12 -0800 

Hi all.
 Reading through the C code of rlm_ldap I've noticed that the behavior for
this module, when it got a nosuchobject or a ambiguous reply is to not
reject the request, but pass it over for some other modules, either in
authorize then  in authenticate.
This could be ok when you have a distributed ldap with different databses,
but could result in some false positive when using a replicated net of
ldap that have the same informations.
While I do have this latest configuration I've tried to figure out how I
could get an reject if the modules fail with this two options, and I made
a patch to rlm_ldap.c to have a configuration option for achieve this
behavior.
So, my patch add the : "not_found_should_reject" (boolean type yes/no)
keyword in ldap section of radiusd.conf, with a default value of no, so
the normal behavior is keeped, and if setted to yes, will make the module
to return a reject when it fails as described.

Could this patch be included in CVS, and so in next distribution ?

Pigi
Here the patch ( output from diff -U 1  rlm_ldap.c.orig rlm_ldap.c):
--- rlm_ldap.c.orig     Sun Feb 29 14:55:08 2004
+++ rlm_ldap.c  Fri Mar 12 13:24:23 2004
@@ -252,2 +252,3 @@
        int             do_comp;
+       int             do_reje;
        int             do_xlat;
@@ -322,2 +323,3 @@
        {"compare_check_items", PW_TYPE_BOOLEAN,
offsetof(ldap_instance,do_comp), NULL, "no"},
+       {"not_found_should_reject", PW_TYPE_BOOLEAN,
offsetof(ldap_instance,do_reje), NULL, "no"},
        {"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
offsetof(ldap_instance,default_allow), NULL, "yes"},
@@ -659,3 +661,8 @@
        case LDAP_SUCCESS:
+               break;
        case LDAP_NO_SUCH_OBJECT:
+                if (inst->do_reje){
+                  DEBUG2("rlm_ldap: performing search in %s, with filter
%s NOSUCHOBJECT", search_basedn ? search_basedn : "(null)",filter);
+                   return (RLM_MODULE_FAIL);
+                }
                break;
@@ -706,2 +713,7 @@
                res = RLM_MODULE_NOTFOUND;
+                if (inst->do_reje){
+                  DEBUG2("rlm_ldap: performing search in %s, with filter
%s and ALWAYS_REJECT",
+                           search_basedn ? search_basedn : "(null)",filter);
+                       res = RLM_MODULE_FAIL;
+                }
                ldap_msgfree(*result);



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to