LDAP Accounting

Olivier Beytrison olivier at heliosnet.org
Tue Dec 11 11:28:10 CET 2012

On 10.12.2012 20:03, Arran Cudbard-Bell wrote:
> Hmm wow, oops, this is why you shouldn't write C when tired. Should all work now.

How come, I thought we always wrote code while being tired, in the
middle of the night, with a mug of coffee ;)

> As an added bonus for your bug finding, it now supports ++, which is sort of undocumented but apparently supported according to comments in the OpenLDAP code.
>  * Example:
>  *	LDAPMod	*mods[] = { 
>  *			{ LDAP_MOD_ADD, "cn", { "babs jensen", "babs", 0 } },
>  *			{ LDAP_MOD_REPLACE, "sn", { "babs jensen", "babs", 0 } },
>  *			{ LDAP_MOD_DELETE, "ou", 0 },
>  *			{ LDAP_MOD_INCREMENT, "uidNumber, { "1", 0 } }
>  *			0
>  *		}
> #define LDAP_MOD_ADD		(0x0000)
> #define LDAP_MOD_DELETE		(0x0001)
> #define LDAP_MOD_REPLACE	(0x0002)
> #define LDAP_MOD_INCREMENT	(0x0003) /* OpenLDAP extension */
> Guessed it'd be useful for maintaining a login counter or something...

Nice, christmas before time !

While doing my test I was surprised that most of my tests returned
"Modification successful" while it should have thrown an error. Pull
request sent to correct this ;)

So, here's some results of my tests :
1. Using := set operator
  a. If attribute is not present in the ldap, will create it and set the
  b. If attribute is present, it will replace its value.
  c. If multiple attributes are present, it will replace all attributes
by a single attribute with the passed value (Use with caution !)

2. Using += add operator
  a. If attribute is not present, will create it and set the value
  b. If attribute is already present, will create a new one with the
passed value, if multi-valuable
  c. If attribute is already present, and single-valued, it will fail
with "Constraint violation"

3. Using -= del operator
The del operator is harder to use. If you have an ldap attribute with a
static value, let say description = "Logged in", putting description -=
"Logged in" will remove it.
If the value is dynamic, you need to xlat it first. But this will fail
for multi-valued argument. Working example :
roomNumber -=
This will successfully remove an attribute that was originally added
with roomNumber := "User %{%{Stripped-User-Name}:-%{User-Name}} logged
in at %S"

4. Using ++ increment operator

I've not been able to use the ++ operator. Novell eDirectory doesn't
support RFC 4525 Ldap Modify-Increment operation. (Not listed in the
root DSE in supportedExtension and LDAP_MOD_INCREMENT return protocol
error). this should be tested against a OpenLDAP server.

In the mean time I also noticed that using a single quote string throw a
segmentation fault in the update section. Full backtrace here

That's it!

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html


 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mobile: +41 (0)78 619 73 53
 Mail: olivier at heliosnet.org

More information about the Freeradius-Devel mailing list