Hi all, This patch is an attempt to have a more generic custom access_attr support, by introducing a new ldap module configuration parameter named "access_attr_deny_value" allowing to check arbitrary access_attr attribute value to reject user.
Without this patch, configured access_attr attribute is checked against a static,(hard-coded) "FALSE" value. With this patch, rlm_ldap module user can configure not only custom access_attr attribute, but also custom access_attr_deny_value value to control user lock status. Default value remains FALSE, to maintain backward compatibility. This patch has been made because if, for example, inetUserStatus is used at ldap server level to control lock user status, this control is done by ldap server when user tries to bind to the ldap. >From freeradius point of view, if ldap bind is not done for any reason (e.I. because radiusd received a MSCHAP challenge, and just replayed MSCHAP using ntPassword or lmPassword retrieved during author) , ldap server will not have occation to reject the user at binding, so radiusd has to do the job himself for inetUserStatus to be honored. If radiusd does not do the job, only ldap-binded user will be rejected (by ldap) but non-binded user will be accepted, thus making ldap settings disabling the user with inetUserStatus set to "inactive" will not be honored at radius level and user will be unexpectedly accepted. For example, ${confdir}/modules/ldap : access_attr = inetUserStatus # OID 2.16.840.1.113730.3.1.692 access_attr_deny_value = "inactive" With this setup, if inetUSerStatus is set to inactive in ldap directory for a particular user, this user will be rejected early during authorization. Best regards, Fred MAISON ############################################### diff -u ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c --- ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c 2011-09-20 14:11:34.000000000 +0200 +++ ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c 2011-09-29 17:39:32.000000000 +0200 @@ -146,6 +146,7 @@ char *default_profile; char *profile_attr; char *access_attr; + char *access_attr_deny_value; char *passwd_hdr; char *passwd_attr; int auto_header; @@ -304,6 +305,8 @@ offsetof(ldap_instance,access_attr), NULL, NULL}, {"access_attr_used_for_allow", PW_TYPE_BOOLEAN, offsetof(ldap_instance,default_allow), NULL, "yes"}, + {"access_attr_deny_value", PW_TYPE_STRING_PTR, + offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"}, {"chase_referrals", PW_TYPE_BOOLEAN, offsetof(ldap_instance,chase_referrals), NULL, NULL}, {"rebind", PW_TYPE_BOOLEAN, @@ -1405,8 +1408,8 @@ if (inst->access_attr) { if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) { if (inst->default_allow){ - RDEBUG("checking if remote access for %s is allowed by %s", request->username->vp_strvalue, inst->access_attr); - if (!strncmp(vals[0], "FALSE", 5)) { + RDEBUG("checking if remote access for user %s is %s by %s", request->username->vp_strvalue, inst->access_attr_deny_value, inst->access_attr); + if (!strncmp(vals[0], inst->access_attr_deny_value, sizeof(inst->access_attr_deny_value))) { RDEBUG("dialup access disabled"); snprintf(module_fmsg,sizeof(module_fmsg)," [%s] Access Attribute denies access", inst->xlat_name); module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); ############################################### - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html