On 11 Jan 2012, at 3:06 PM, Phil Mayers wrote:
> I'm not sure I understand the circumstances in which this occurs. Can you
> give an example of it failing?
>
> rlm_ldap takes the "groupmembership_filter" you give it, and then ANDs it
> with groupname=value, like so:
>
> final_filter = sprintf("(&(%s=%s)%s)"
> groupname_attr,
> groupname,
> groupmembership_filter
> )
>
> This query will end up looking something like this:
>
> (&(cn=TheGroup)(|(member=<LDAP DN>)(uniquemember=<LDAP DN>)))
>
> ...and should never return >1 hit.That assumes you're searching using a group name. In my case, I have an attribute that has a value that means "give this group of people access to radius", and for some people, they will be members of more than one group. In the process, they are denied access because 2 or more values come back. This patch gives the admin the power to support this scenario when it is required. Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
