Phil Mayers wrote:
If you could describe more precisely what you're trying to do I may be
able to give a more specific answer.
Actually I've just had a quick look at your earlier email and it's a bit
clearer what you want to do - take NT groups from AD via LDAP, send them
to your Aruba after stripping the name from cn=<name>,ou=path and have
it process them - correct?
You could do this:
ldap.attrmap:
# append memberOf to radius reply as Whatever-Attribute
replyItem Whatever-Attribute memberOf +=
radiusd.conf:
modules {
# bulk of modules, then
ldap {
# ldap config
}
# chop end off
attr_rewrite stripGroupDn1 {
attribute = Whatever-Attribute
searchin = reply
searchfor = ",.*"
replacewith = ""
ignore_case = yes
new_attribute = no
max_matches = 1
append = no
}
# chop start off
attr_rewrite stripGroupDn2 {
attribute = Whatever-Attribute
searchin = reply
searchfor = "^cn="
replacewith = ""
ignore_case = yes
new_attribute = no
max_matches = 1
append = no
}
# rest of modules
}
authorize {
preprocess
ldap
stripGroupDn1
stripGroupDn2
files
}
# rest of radiusd.conf
...however, you'll need CVS HEAD for the ldap.attrmap 4th item
(operator) and for fixes to the extraction of replyItems from LDAP
attributes - or the (scantily tested) backport I've just written to
1.1.0 (attached)
--- src/modules/rlm_ldap/rlm_ldap.c~ 2005-12-29 21:52:53.000000000 +0000
+++ src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 13:01:49.000000000 +0100
@@ -919,7 +919,7 @@
return 1;
}
- if (!radius_xlat(basedn, sizeof(basedn), inst->basedn, req, NULL)) {
+ if (!radius_xlat(basedn, sizeof(basedn), inst->basedn, req, ldap_escape_func)) {
DEBUG("rlm_ldap::ldap_groupcmp: unable to create basedn.");
return 1;
}
@@ -964,7 +964,7 @@
ldap_msgfree(result);
}
- if(!radius_xlat(gr_filter, sizeof(gr_filter), inst->groupmemb_filt, req, NULL)){
+ if(!radius_xlat(gr_filter, sizeof(gr_filter), inst->groupmemb_filt, req, ldap_escape_func)){
DEBUG("rlm_ldap::ldap_groupcmp: unable to create filter.");
return 1;
}
@@ -1235,7 +1235,7 @@
}
if (!radius_xlat(basedn, sizeof(basedn), inst->basedn,
- request, NULL)) {
+ request, ldap_escape_func)) {
radlog (L_ERR, "rlm_ldap: unable to create basedn.\n");
return RLM_MODULE_INVALID;
}
@@ -1703,13 +1703,13 @@
while((vp_user_dn = pairfind(request->packet->vps, PW_LDAP_USERDN)) == NULL) {
if (!radius_xlat(filter, sizeof(filter), inst->filter,
- request, NULL)) {
+ request, ldap_escape_func)) {
radlog (L_ERR, "rlm_ldap: unable to create filter.\n");
return RLM_MODULE_INVALID;
}
if (!radius_xlat(basedn, sizeof(basedn), inst->basedn,
- request, NULL)) {
+ request, ldap_escape_func)) {
radlog (L_ERR, "rlm_ldap: unable to create basedn.\n");
return RLM_MODULE_INVALID;
}
--- src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 15:12:28.000000000 +0100
+++ src/modules/rlm_ldap/rlm_ldap.c 2006-04-08 15:17:17.000000000 +0100
@@ -248,6 +248,7 @@
struct TLDAP_RADIUS {
char* attr;
char* radius_attr;
+ LRAD_TOKEN operator;
struct TLDAP_RADIUS* next;
};
typedef struct TLDAP_RADIUS TLDAP_RADIUS;
@@ -657,6 +658,8 @@
/* all buffers are of MAX_LINE_LEN so we can use sscanf without being afraid of buffer overflows */
char buf[MAX_LINE_LEN], itemType[MAX_LINE_LEN], radiusAttribute[MAX_LINE_LEN], ldapAttribute[MAX_LINE_LEN];
int linenumber;
+ LRAD_TOKEN operator;
+ char opstring[MAX_LINE_LEN];
/* open the mappings file for reading */
@@ -688,23 +691,39 @@
if (buf[0] == 0) continue;
/* extract tokens from the string */
- token_count = sscanf(buf, "%s %s %s", itemType, radiusAttribute, ldapAttribute);
+ token_count = sscanf(buf, "%s %s %s %s", itemType, radiusAttribute, ldapAttribute, opstring);
if (token_count <= 0) /* no tokens */
continue;
- if (token_count != 3) {
- radlog(L_ERR, "rlm_ldap: Skipping %s line %i: %s", filename, linenumber, buf);
- radlog(L_ERR, "rlm_ldap: Expected 3 tokens "
- "(Item type, RADIUS Attribute and LDAP Attribute) but found only %i", token_count);
+ if ((token_count < 3) || (token_count > 4)) {
+ radlog(L_ERR, "rlm_ldap: Skipping %s line %i: %s",
+ filename, linenumber, buf);
+ radlog(L_ERR, "rlm_ldap: Expected 3 to 4 tokens "
+ "(Item type, RADIUS Attribute and LDAP Attribute) but found only %i", token_count);
continue;
}
+
+ if (token_count == 3) {
+ operator = T_INVALID; /* use defaults */
+ } else {
+ char *ptr;
+
+ ptr = opstring;
+ operator = gettoken(&ptr, buf, sizeof(buf));
+ if ((operator < T_OP_ADD) || (operator > T_OP_CMP_EQ)) {
+ radlog(L_ERR, "rlm_ldap: file %s: skipping line %i: unknown or invalid operator %s",
+ filename, linenumber, opstring);
+ continue;
+ }
+ }
/* create new TLDAP_RADIUS list node */
pair = rad_malloc(sizeof(TLDAP_RADIUS));
pair->attr = strdup(ldapAttribute);
pair->radius_attr = strdup(radiusAttribute);
+ pair->operator = operator;
if ( (pair->attr == NULL) || (pair->radius_attr == NULL) ) {
radlog(L_ERR, "rlm_ldap: Out of memory");
@@ -2312,7 +2331,8 @@
TLDAP_RADIUS *element;
LRAD_TOKEN token;
int is_generic_attribute;
- char value[256];
+ char *value;
+ char buf[MAX_STRING_LEN];
VALUE_PAIR *pairlist = NULL;
VALUE_PAIR *newpair = NULL;
@@ -2332,7 +2352,7 @@
vals_count = ldap_count_values(vals);
for (vals_idx = 0; vals_idx < vals_count; vals_idx++) {
- ptr = vals[vals_idx];
+ value = ptr = vals[vals_idx];
if (is_generic_attribute) {
/* this is a generic attribute */
@@ -2348,13 +2368,20 @@
element->attr, vals[vals_idx]);
}
} else {
- /* this is a one-to-one-mapped attribute */
- token = gettoken(&ptr, value, sizeof(value) - 1);
+ token = gettoken(&ptr, buf, sizeof(buf) - 1);
if (token < T_EQSTART || token > T_EQEND) {
- token = (is_check) ? T_OP_CMP_EQ : T_OP_EQ;
+ /* no leading operator found */
+ if (element->operator != T_INVALID)
+ token = element->operator;
+ else if (is_check)
+ token = T_OP_CMP_EQ;
+ else
+ token = T_OP_EQ;
} else {
- gettoken(&ptr, value, sizeof(value) - 1);
+ /* the value is after the operator */
+ value = ptr;
}
+
if (value[0] == 0) {
DEBUG("rlm_ldap: Attribute %s has no value", element->attr);
break;
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
