rlm_ldap patch for access_attr_deny_value

Mon Oct 3 12:07:30 CEST 2011

Hi all,

This patch is an attempt to have a more generic custom access_attr
support, by introducing a new ldap module configuration parameter
named "access_attr_deny_value" allowing to check arbitrary access_attr
attribute  value to reject user.

Without this patch, configured access_attr attribute is checked
against a static,(hard-coded) "FALSE" value.
With this patch, rlm_ldap module user can configure not only custom
access_attr attribute, but also custom access_attr_deny_value value to
control user lock status.
Default value remains FALSE, to maintain backward compatibility.

This patch has been made because if, for example,  inetUserStatus is
used at ldap server level to control lock user status, this control is
done by ldap server when user tries to bind to the ldap.
>From freeradius point of view, if ldap bind is not done for any reason
(e.I. because radiusd received a MSCHAP challenge, and just replayed
MSCHAP using ntPassword or lmPassword retrieved during author) , ldap
server will not have occation to reject the user at binding, so
radiusd has to do the job himself for inetUserStatus to be honored.
If radiusd does not do the job, only ldap-binded user will be rejected
(by ldap) but non-binded user will be accepted, thus making ldap
settings disabling the user with inetUserStatus set to "inactive" will
not be honored at radius level and user will be unexpectedly accepted.


For example,
${confdir}/modules/ldap :
access_attr                   = inetUserStatus                  # OID
2.16.840.1.113730.3.1.692
access_attr_deny_value = "inactive"

With this setup, if inetUSerStatus is set to inactive in ldap
directory for a particular user, this user will be rejected early
during authorization.

Best regards,
Fred MAISON

###############################################

diff -u ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c
./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c

--- ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c	2011-09-20
14:11:34.000000000 +0200
+++ ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c	2011-09-29
17:39:32.000000000 +0200
@@ -146,6 +146,7 @@
 	char           *default_profile;
 	char           *profile_attr;
 	char           *access_attr;
+	char		*access_attr_deny_value;
 	char           *passwd_hdr;
 	char           *passwd_attr;
 	int		auto_header;
@@ -304,6 +305,8 @@
 	 offsetof(ldap_instance,access_attr), NULL, NULL},
 	{"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
 	 offsetof(ldap_instance,default_allow), NULL, "yes"},
+	{"access_attr_deny_value", PW_TYPE_STRING_PTR,
+	 offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"},
 	{"chase_referrals", PW_TYPE_BOOLEAN,
 	 offsetof(ldap_instance,chase_referrals), NULL, NULL},
 	{"rebind", PW_TYPE_BOOLEAN,
@@ -1405,8 +1408,8 @@
 	if (inst->access_attr) {
 		if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) {
 			if (inst->default_allow){
-				RDEBUG("checking if remote access for %s is allowed by %s",
request->username->vp_strvalue, inst->access_attr);
-				if (!strncmp(vals[0], "FALSE", 5)) {
+				RDEBUG("checking if remote access for user %s is %s by %s",
request->username->vp_strvalue, inst->access_attr_deny_value,
inst->access_attr);
+				if (!strncmp(vals[0], inst->access_attr_deny_value,
sizeof(inst->access_attr_deny_value))) {
 					RDEBUG("dialup access disabled");
 					snprintf(module_fmsg,sizeof(module_fmsg),"  [%s] Access
Attribute denies access", inst->xlat_name);
 					module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);


###############################################

