rlm_ldap in FR3.0
Maja Wolniewicz
mgw at umk.pl
Tue Aug 6 13:19:31 CEST 2013
Hello,
I found a problem in the function which checks for presence of access
attribute (src/modules/rlm_ldap/ldap.c, rlm_ldap_check_access).
The culprit is the following code:
vals = ldap_get_values(conn->handle, entry, inst->userobj_access_attr);
if (vals) {
if (inst->access_positive && (strncmp(vals[0], "false", 5) == 0)) {
RDEBUG("\"%s\" attribute exists but is set to
'false' - user locked out");
rcode = RLM_MODULE_USERLOCK;
} else {
RDEBUG("\"%s\" attribute exists - user locked out",
inst->userobj_access_attr);
rcode = RLM_MODULE_USERLOCK;
}
ldap_value_free(vals);
}
when access_positive is true and a user has the access attribute set to
true the server gives "attribute exists - user locked out"
It should be changed to something like this:
if (vals) {
if (inst->access_positive) {
if (strncmp(vals[0], "false", 5) == 0) {
RDEBUG("\"%s\" attribute exists but is set to 'false' - user
locked out");
rcode = RLM_MODULE_USERLOCK;
}
} else {
RDEBUG("\"%s\" attribute exists - user locked out",
inst->userobj_access_attr);
rcode = RLM_MODULE_USERLOCK;
}
ldap_value_free(vals);
}
Greetings,
Maja
--
Maja Gorecka-Wolniewicz mgw at umk.pl
Uczelniane Centrum Information & Communication
Informatyczne Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3393 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20130806/3b6e64be/attachment.bin>
More information about the Freeradius-Devel
mailing list