rlm_ldap: do_xlat vs. attributes with multiple values

Wed Feb 8 15:01:46 CET 2006

I use rlm_ldap for authorization only in quite a specific way, but
here's a simple model/description of what I do:

##### ldap.attrmap ########
replyItem       Reply-Message                   rbPackage
###########################

LDAP attribute rbPackage can have multiple values (its type is
IA5String), I want to see multiple Reply-Message RADIUS attributes in
Access-Accept. I am currently using radclient for the testing.
The problem is that I do get what I want if have "do_xlat = no" in
rlm_ldap configuration, but if set "do_xlat = yes", then only
Reply-Message is received.

I looked a little bit in the code and it seems that the problem is with
the following calls:

        if ((reply_tmp = ldap_pairget(conn->ld, msg,
inst->reply_item_map,reply_pairs,0)) != NULL) {
                if (inst->do_xlat){
                        pairxlatmove(request, reply_pairs, &reply_tmp);
                        pairfree(&reply_tmp);
                }
                else
                        pairadd(reply_pairs,reply_tmp);

But pairxlatmove() has the following peculiarity: it checks for the
attributes from source to be present in target and, while doing so, it
also acts on newly added attributes. Thus, if source contains multiple
pairs with the same attribute, all those pairs could be "condensed" into
one by pairxlatmove().
Not sure if this a problem of pairxlatmove() or a problem of its
incorrect usage in rlm_ldap.

Anyway, is there a way to achieve my goal consistently regardless of
do_xlat setting ?
I feel like I could this by prepending values in rbPackage with "=" or
":=" (I am not with these things yet), but I really wouldn't like to
mangle the values in LDAP.

-- 
Andriy Gapon