<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1476" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006>Hello,</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>In my users file I
have rules that link ldap groups to hunt groups, possibly with
suffixes.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>They look something
like this:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>DEFAULT Ldap-Group
== `%{Huntgroup-Name}`<BR>
Access-Level := RW,<BR> Service-Type =
Administrative-User,<BR> Cisco-AVPair
:= "shell:priv-lvl=15",<BR>
Passport-Command-Impact = configuration</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006># Check passport
access groups<BR>DEFAULT Ldap-Group ==
`%{Huntgroup-Name}_configuration`<BR>
Passport-Command-Impact = configuration</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>DEFAULT Ldap-Group
== `%{Huntgroup-Name}_systemadmin`<BR>
Passport-Command-Impact = systemAdministration</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>DEFAULT Ldap-Group
== `%{Huntgroup-Name}_passive`<BR>
Passport-Command-Impact = passive</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006># These checks cover
Nortel switches, et al.<BR>DEFAULT Ldap-Group ==
`%{Huntgroup-Name}_RWA`<BR>
Service-Type =
Administrative-User,<BR> Access-Level
:= RWA</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>DEFAULT Ldap-Group
== `%{Huntgroup-Name}_RO`<BR>
Access-Level := RO,<BR> Service-Type =
Nas-Prompt-User</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>On the first request
that comes in, the system worked fine. In the radiusd output
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>you would see and
ldap group search for, say, QLD_South, then QLD_South_configuration,
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>etc. Eventually one
would match (or all would fail) and the request would
complete.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>Now a second request
for a different huntgroup would come in, but the ldap search would stil be for
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>QLD_South and so
on.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>After tracing
through with gdb I discovered that pair_cmp when xlating the config item was
actually </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>overwriting the
source data with the xlat result. I didn't want to fiddle with pair_cmp so i
looked at </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>rlm_files with the
intention of supplying pair_cmp with a copy of the user record rather than the
</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>original. It turns
out that pl->check was already being copied, so all that needed to be done
was make </SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>the copy earlier,
and supply check_tmp rather than pl->check to pair_cmp.</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>Long story short,
this fixes the problem. here is the patch:</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>***
src/modules/rlm_files/rlm_files.c~ Thu Oct 21 03:14:38 2004<BR>---
src/modules/rlm_files/rlm_files.c Tue Aug 15 12:48:22
2006<BR>***************<BR>*** 313,324
****<BR>
continue;<BR>
}</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006>
/*<BR>
* If the current request matches against
the<BR>
* check pairs, then add the reply pairs from
the<BR>
* entry to the current list of reply
pairs.<BR>
*/<BR>!
if ((paircmp(request, request_pairs, pl->check, reply_pairs) == 0))
{<BR>
if ((mainconfig.do_usercollide)
&&<BR>
(strcmp(pl->name, "DEFAULT"))) {</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>--- 313,327
----<BR>
continue;<BR>
}</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006>+
/* Don't let paircmp overwrite original record when expanding variables
*/<BR>+
check_tmp =
paircopy(pl->check);<BR>+<BR>
/*<BR>
* If the current request matches against
the<BR>
* check pairs, then add the reply pairs from
the<BR>
* entry to the current list of reply
pairs.<BR>
*/<BR>!
if ((paircmp(request, request_pairs, check_tmp, reply_pairs) == 0))
{<BR>
if ((mainconfig.do_usercollide)
&&<BR>
(strcmp(pl->name, "DEFAULT"))) {</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006>***************<BR>*** 331,337
****<BR>
check_save = paircopy(request->config_items);</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006>
/* Copy this users check pairs to the request
*/<BR>-
check_tmp =
paircopy(pl->check);<BR>
pairmove(check_pairs,
&check_tmp);<BR>
pairfree(&check_tmp);</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN class=404533504-16082006>--- 334,339
----<BR>***************<BR>*** 367,373 ****</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006>
DEBUG2(" users: Matched entry %s at line %d", pl->name,
pl->lineno);<BR>
found =
1;<BR>-
check_tmp =
paircopy(pl->check);<BR>
reply_tmp =
paircopy(pl->reply);<BR>
pairxlatmove(request, reply_pairs,
&reply_tmp);<BR>
pairmove(check_pairs, &check_tmp);<BR>--- 369,374
----<BR>***************<BR>*** 379,384 ****<BR>--- 380,387
----<BR>
*/<BR>
if
(!fallthrough(pl->reply))<BR>
break;<BR>+
} else
{<BR>+
pairfree(&check_tmp);<BR>
}<BR> }</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV>
<DIV><FONT face=Arial size=2><SPAN
class=404533504-16082006></SPAN></FONT> </DIV></BODY></HTML>