LDAP Accounting

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Dec 11 12:39:28 CET 2012 

On 11 Dec 2012, at 10:28, Olivier Beytrison <olivier at heliosnet.org> wrote:

> On 10.12.2012 20:03, Arran Cudbard-Bell wrote:
>> Hmm wow, oops, this is why you shouldn't write C when tired. Should all work now.
> 
> How come, I thought we always wrote code while being tired, in the
> middle of the night, with a mug of coffee ;)
> 
>> As an added bonus for your bug finding, it now supports ++, which is sort of undocumented but apparently supported according to comments in the OpenLDAP code.
>> 
>> * Example:
>> *	LDAPMod	*mods[] = { 
>> *			{ LDAP_MOD_ADD, "cn", { "babs jensen", "babs", 0 } },
>> *			{ LDAP_MOD_REPLACE, "sn", { "babs jensen", "babs", 0 } },
>> *			{ LDAP_MOD_DELETE, "ou", 0 },
>> *			{ LDAP_MOD_INCREMENT, "uidNumber, { "1", 0 } }
>> *			0
>> *		}
>> 
>> #define LDAP_MOD_ADD		(0x0000)
>> #define LDAP_MOD_DELETE		(0x0001)
>> #define LDAP_MOD_REPLACE	(0x0002)
>> #define LDAP_MOD_INCREMENT	(0x0003) /* OpenLDAP extension */
>> 
>> Guessed it'd be useful for maintaining a login counter or something...
> 
> Nice, christmas before time !
> 
> While doing my test I was surprised that most of my tests returned
> "Modification successful" while it should have thrown an error. Pull
> request sent to correct this ;)

I don't think that was quite right, it looks like the error_no can be positive or negative, pushed another fix.
Thanks for reporting it though.

> 
> So, here's some results of my tests :
> 1. Using := set operator
>  a. If attribute is not present in the ldap, will create it and set the
> value

Good.

>  b. If attribute is present, it will replace its value.

Good.

>  c. If multiple attributes are present, it will replace all attributes
> by a single attribute with the passed value (Use with caution !)

Huh?! What was that about Principle of Least Astonishment... wow.

That's one that should go in the config with a big WARNING:/


> 2. Using += add operator
>  a. If attribute is not present, will create it and set the value

Good.

>  b. If attribute is already present, will create a new one with the
> passed value, if multi-valuable

That's good behaviour, I was worried we were going to
have to pre-sort the attributes and bundle them up into value
arrays.

>  c. If attribute is already present, and single-valued, it will fail
> with "Constraint violation"

Good.

> 
> 3. Using -= del operator
> The del operator is harder to use. If you have an ldap attribute with a
> static value, let say description = "Logged in", putting description -=
> "Logged in" will remove it.

Good.

> If the value is dynamic, you need to xlat it first. But this will fail
> for multi-valued argument. Working example :
> roomNumber -=
> "%{ldap:ldap:///ou=people,o=hes-so?roomNumber?sub?uid=%{%{Stripped-User-Name}:-%{User-Name}}}"
> This will successfully remove an attribute that was originally added

:)

> with roomNumber := "User %{%{Stripped-User-Name}:-%{User-Name}} logged
> in at %S"
> 

The main thing is we have a way of doing it, even if it's a little ugly. 

> 4. Using ++ increment operator
> 
> I've not been able to use the ++ operator. Novell eDirectory doesn't
> support RFC 4525 Ldap Modify-Increment operation. (Not listed in the
> root DSE in supportedExtension and LDAP_MOD_INCREMENT return protocol
> error). this should be tested against a OpenLDAP server.

Ok.

> 
> In the mean time I also noticed that using a single quote string throw a
> segmentation fault in the update section. Full backtrace here
> http://pastebin.com/E85fdKGV
> 

Fixed.

Thanks for your brilliant testing :)

-Arran

More information about the Freeradius-Devel mailing list