[PATCH] ldap: fix documented syntax for doing group-membership-checks

Mon, 18 Aug 2008 10:50:57 -0700 

When I upgraded from 1.1.7 to 2.0.5, my group-checking rules stopped
working. By running FreeRadius in debug mode, I noticed that the
filters it was constructing to do the group-membership check were
incorrect.

My configuration had this (in modules/ldap):

    groupmembership_filter = 
"(&(objectClass=groupOfNames)(member=%{Ldap-UserDn}))"

But the debug output had this:

  expand: (&(objectClass=groupOfNames)(member=%{Ldap-UserDn}))
       -> (&(objectClass=groupOfNames)(member=))

Apparently, in this version, the syntax of %{Ldap-UserDn} should now
be %{control:Ldap-UserDn}. Thanks to Alan DeKok for letting me know.
I have verified that this worked.

The attached patch updates the documentation to show the correct
syntax, and fixes the default value in rlm_ldap.c.
---

 doc/rlm_ldap                    |    4 ++--
 raddb/modules/ldap              |    2 +-
 src/modules/rlm_ldap/rlm_ldap.c |    2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)


diff --git a/doc/rlm_ldap b/doc/rlm_ldap
index 32f7e8e..56467b6 100644
--- a/doc/rlm_ldap
+++ b/doc/rlm_ldap
@@ -232,9 +232,9 @@ the rlm_ldap module:
 #      groupmembership_filter: The filter to search for group membership of a
 #      particular user after we have found the DN for the group.
 #
-#      default: 
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
+#      default: 
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
 #
-#      groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
      
+#      groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
      
 
 
 #      groupmembership_attribute: The attribute in the user entry that states
diff --git a/raddb/modules/ldap b/raddb/modules/ldap
index 1f0ff88..a330214 100644
--- a/raddb/modules/ldap
+++ b/raddb/modules/ldap
@@ -126,7 +126,7 @@ ldap {
        #  Group membership checking.  Disabled by default.
        #
        # groupname_attribute = cn
-       # groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
+       # groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
        # groupmembership_attribute = radiusGroupName
 
        # compare_check_items = yes
diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index b127417..bb2be91 100644
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -280,7 +280,7 @@ static const CONF_PARSER module_config[] = {
        {"groupname_attribute", PW_TYPE_STRING_PTR,
         offsetof(ldap_instance,groupname_attr), NULL, "cn"},
        {"groupmembership_filter", PW_TYPE_STRING_PTR,
-        offsetof(ldap_instance,groupmemb_filt), NULL, 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"},
+        offsetof(ldap_instance,groupmemb_filt), NULL, 
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"},
        {"groupmembership_attribute", PW_TYPE_STRING_PTR,
         offsetof(ldap_instance,groupmemb_attr), NULL, NULL},
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to