rlm_ldap in FR3.0

Maja Wolniewicz mgw at umk.pl
Tue Aug 6 13:19:31 CEST 2013


Hello,

I found a problem in the function which checks for presence of access
attribute (src/modules/rlm_ldap/ldap.c,  rlm_ldap_check_access).

The culprit is the following code:

 vals = ldap_get_values(conn->handle, entry, inst->userobj_access_attr);
 if (vals) {
    if (inst->access_positive && (strncmp(vals[0], "false", 5) == 0)) {
                        RDEBUG("\"%s\" attribute exists but is set to
'false' - user locked out");
                        rcode = RLM_MODULE_USERLOCK;
     } else {
        RDEBUG("\"%s\" attribute exists - user locked out",
inst->userobj_access_attr);
        rcode = RLM_MODULE_USERLOCK;
     }

      ldap_value_free(vals);
  }

when access_positive is true and a user has  the access attribute set to
true the server gives "attribute exists - user locked out"

It should be changed to something like this:
if (vals) {
   if (inst->access_positive) {
     if (strncmp(vals[0], "false", 5) == 0) {
       RDEBUG("\"%s\" attribute exists but is set to 'false' - user
locked out");
       rcode = RLM_MODULE_USERLOCK;
     }
   } else {
     RDEBUG("\"%s\" attribute exists - user locked out",
inst->userobj_access_attr);
      rcode = RLM_MODULE_USERLOCK;
   }
   ldap_value_free(vals);  
}  

Greetings,
Maja

-- 
Maja Gorecka-Wolniewicz          mgw at umk.pl
Uczelniane Centrum               Information & Communication
Informatyczne                    Technology Centre
Uniwersytet Mikolaja Kopernika   Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3393 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130806/3b6e64be/attachment.bin>


More information about the Freeradius-Devel mailing list