Please note : As I am not a C developper, I just "mimics" what is already done in rlm_ldap.c to create this patch, which only checks agains "FALSE" value. So, this patch is not sufficient to manage multiple possible values :
For example, inetUserStatus has - 2 possible REJECT values : * inactive * deleted - 1 possible ACCEPT value * active I am not able to create the patch to support checking on multiple custom reject values For example : support access_attr_deny_value as a list with space-separated values to check : access_attr_deny_value = "inactive deleted" or as a list with | separated value : access_attr_deny_value = "inactive|deleted" Best regards, Fred Maison 2011/10/3 Fred <[email protected]>: > Hi all, > > This patch is an attempt to have a more generic custom access_attr > support, by introducing a new ldap module configuration parameter > named "access_attr_deny_value" allowing to check arbitrary access_attr > attribute value to reject user. > > Without this patch, configured access_attr attribute is checked > against a static,(hard-coded) "FALSE" value. > With this patch, rlm_ldap module user can configure not only custom > access_attr attribute, but also custom access_attr_deny_value value to > control user lock status. > Default value remains FALSE, to maintain backward compatibility. > > This patch has been made because if, for example, inetUserStatus is > used at ldap server level to control lock user status, this control is > done by ldap server when user tries to bind to the ldap. > From freeradius point of view, if ldap bind is not done for any reason > (e.I. because radiusd received a MSCHAP challenge, and just replayed > MSCHAP using ntPassword or lmPassword retrieved during author) , ldap > server will not have occation to reject the user at binding, so > radiusd has to do the job himself for inetUserStatus to be honored. > If radiusd does not do the job, only ldap-binded user will be rejected > (by ldap) but non-binded user will be accepted, thus making ldap > settings disabling the user with inetUserStatus set to "inactive" will > not be honored at radius level and user will be unexpectedly accepted. > > > For example, > ${confdir}/modules/ldap : > access_attr = inetUserStatus # OID > 2.16.840.1.113730.3.1.692 > access_attr_deny_value = "inactive" > > With this setup, if inetUSerStatus is set to inactive in ldap > directory for a particular user, this user will be rejected early > during authorization. > > Best regards, > Fred MAISON > > ############################################### > > diff -u ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c > ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c > --- ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c 2011-09-20 > 14:11:34.000000000 +0200 > +++ > ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c > 2011-09-29 > 17:39:32.000000000 +0200 > @@ -146,6 +146,7 @@ > char *default_profile; > char *profile_attr; > char *access_attr; > + char *access_attr_deny_value; > char *passwd_hdr; > char *passwd_attr; > int auto_header; > @@ -304,6 +305,8 @@ > offsetof(ldap_instance,access_attr), NULL, NULL}, > {"access_attr_used_for_allow", PW_TYPE_BOOLEAN, > offsetof(ldap_instance,default_allow), NULL, "yes"}, > + {"access_attr_deny_value", PW_TYPE_STRING_PTR, > + offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"}, > {"chase_referrals", PW_TYPE_BOOLEAN, > offsetof(ldap_instance,chase_referrals), NULL, NULL}, > {"rebind", PW_TYPE_BOOLEAN, > @@ -1405,8 +1408,8 @@ > if (inst->access_attr) { > if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) > != NULL) { > if (inst->default_allow){ > - RDEBUG("checking if remote access for %s is > allowed by %s", > request->username->vp_strvalue, inst->access_attr); > - if (!strncmp(vals[0], "FALSE", 5)) { > + RDEBUG("checking if remote access for user %s > is %s by %s", > request->username->vp_strvalue, inst->access_attr_deny_value, > inst->access_attr); > + if (!strncmp(vals[0], > inst->access_attr_deny_value, > sizeof(inst->access_attr_deny_value))) { > RDEBUG("dialup access disabled"); > > snprintf(module_fmsg,sizeof(module_fmsg)," [%s] Access > Attribute denies access", inst->xlat_name); > module_fmsg_vp = > pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); > > > ############################################### > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
