Hi all, After some more reading of rlm_ldap code, I saw that a static comparison is made with "FALSE" to detect disabled access, which is fairly limitative ...
Here is a rlm_ldap small patch I have tested with 2.1.12pre, which allow to configure arbitrary deny value for access_attr. Config parameter exposed in ${config}/modules/ldap is access_attr_deny_value. default value is "FALSE" as before, so if access_attr is dialupAccess && dialupAccess == "FALSE" in the ldap database, user is rejected. This is usefull for example to use inetUserStatus as access_attr, because common values for this attributes are [active|inactive] ldap module sample config : access_attr = inetUserStatus access_attr_deny_value = "inactive" access_attr_used_for_allow = yes I don't think Alan will accept to commit this change for 2.1.12 one day before it's out, but let's try ! ####################################### char *access_attr; char *access_attr_deny_value; char *passwd_hdr; ..... * Access limitations */ /* LDAP attribute name that controls remote access */ {"access_attr", PW_TYPE_STRING_PTR, offsetof(ldap_instance,access_attr), NULL, NULL}, {"access_attr_used_for_allow", PW_TYPE_BOOLEAN, offsetof(ldap_instance,default_allow), NULL, "yes"}, {"access_attr_deny_value", PW_TYPE_STRING_PTR, offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"}, {"chase_referrals", PW_TYPE_BOOLEAN, offsetof(ldap_instance,chase_referrals), NULL, NULL}, {"rebind", PW_TYPE_BOOLEAN, offsetof(ldap_instance,rebind), NULL, NULL}, ..... /* Remote access is controled by attribute of the user object */ if (inst->access_attr) { if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) { if (inst->default_allow){ RDEBUG("checking if remote access for %s is allowed by %s", request->username->vp_strvalue, inst->access_attr); if (!strncmp(vals[0], inst->access_attr_deny_value, sizeof(inst->access_attr_deny_value))) { RDEBUG("dialup access disabled"); ..... ###################### Best regards, Fred 2011/9/23 Fred <fred.mai...@gmail.com>: > Hi all, > > I am using FR 2.1.11 and I try to implement access_attr & > access_attr_used_for_allow with rlm_ldap. > modules/ldap.conf : > .... > access_attr = inetUserStatus > access_attr_used_for_allow = yes > compare_check_items = no > do_xlat = yes > set_auth_type = yes > ... > > Inside our OpenLDAP, the attribute is inetUserStatus, whose value can > be(active/inactive). > According to rlm_ldap docs, this should be a boolean (yes/no/TRUE/FALSE). > At the moment, access is granted if inetUserStatus is set to active as well > as if inetUserStatus is set to inactive, I suppose because FR does not > interpred those values as TRUE/yes or FALSE/no .. > > As I cannot act on ldap server side, (many other applications already uses > this attribute value pair) Is there any way to have this working on > freeradius side ? > Is it necessary to ldap.attrmap this attribute to use this feature ? > Could I (for example) update the attribute recovered from ldap during author > and change inactive to FALSE or active to TRUE ? > > debug extract : > Fri Sep 23 12:54:05 2011 : Info: [ldap] performing user authorization for > user_sps > Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: > %{Stripped-User-Name} -> > Fri Sep 23 12:54:05 2011 : Info: [ldap] ... expanding second > conditional > Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: %{User-Name} -> > user_sps > Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: > (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user_sps) > Fri Sep 23 12:54:05 2011 : Info: [ldap] expand: > dc=corp,dc=toto,dc=com -> dc=corp,dc=toto,dc=com > Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Checking Id: 0 > Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_get_conn: Got Id: 0 > Fri Sep 23 12:54:05 2011 : Debug: [ldap] attempting LDAP reconnection > Fri Sep 23 12:54:05 2011 : Debug: [ldap] (re)connect to 10.49.64.25:389, > authentication 0 > Fri Sep 23 12:54:05 2011 : Debug: [ldap] bind as > cn=syncuser,dc=toto,dc=com/L?JHLjvk to 10.49.64.25:389 > Fri Sep 23 12:54:05 2011 : Debug: [ldap] waiting for bind result ... > Fri Sep 23 12:54:05 2011 : Debug: [ldap] Bind was successful > Fri Sep 23 12:54:05 2011 : Debug: [ldap] performing search in > dc=corp,dc=toto,dc=com, with filter (uid=user_sps) > Fri Sep 23 12:54:05 2011 : Info: [ldap] checking if remote access for > user_sps is allowed by inetUserStatus > Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for check items in > directory... > Fri Sep 23 12:54:05 2011 : Debug: [ldap] userPassword -> > Password-With-Header == "{SSHA}SnrchnIFWrKzn+nOzZem4YjMjRqHiavi" > Fri Sep 23 12:54:05 2011 : Debug: [ldap] ntPassword -> NT-Password == > 0x7305108b06d9839d8530b917307803e9 > Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for reply items in > directory... > Fri Sep 23 12:54:05 2011 : Info: [ldap] Setting Auth-Type = LDAP > Fri Sep 23 12:54:05 2011 : Info: [ldap] user user_sps authorized to use > remote access > Fri Sep 23 12:54:05 2011 : Debug: [ldap] ldap_release_conn: Release Id: 0 > Fri Sep 23 12:54:05 2011 : Info: ++[ldap] returns ok > Fri Sep 23 12:54:05 2011 : Info: [files] users: Matched entry user_sps at > line 1 > Fri Sep 23 12:54:05 2011 : Info: ++[files] returns ok > > > Best regards, > > Fred MAISON > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html