ldap group membership issue in 3.0.4 RC1

Kevin Wasserman krwasserman at painless-security.com
Wed Jun 25 19:17:06 CEST 2014


In testing our merge of 3.0.4 RC1 it seems that rlm_ldap_groupcmp() is 
no longer invoked to check group membership when evaluating unlang 
conditionals and instead always returns FALSE.

Previously, in 3.0.1, when freeradius parsed our policy.d/user-filter 
unlang generated (output culled from "freeradius -fxx -l stdout"):

(7)       ? if (control:ldap-psec-Ldap-Group == "Professors")
(7) Searching for user in group "Professors"
rlm_ldap (ldap-psec): Opening additional connection (7)
<<details omitted>>
(7)       ? if (control:ldap-psec-Ldap-Group == "Professors")  -> TRUE

Now I never see "Searching for user in group", but rather simply:
(8)       ? if (control:ldap-psec-Ldap-Group == "Professors")
(8)       ? if (control:ldap-psec-Ldap-Group == "Professors")  -> FALSE

Running under gdb, a breakpoint set on rlm_ldap_groupcmp is never hit.

Any ideas?

Kevin Wasserman
Painless Security, LLC

This email is free from viruses and malware because avast! Antivirus protection is active.

More information about the Freeradius-Devel mailing list