ldap group membership issue in 3.0.4 RC1
Kevin Wasserman
krwasserman at painless-security.com
Wed Jun 25 19:17:06 CEST 2014
Hello,
In testing our merge of 3.0.4 RC1 it seems that rlm_ldap_groupcmp() is
no longer invoked to check group membership when evaluating unlang
conditionals and instead always returns FALSE.
Previously, in 3.0.1, when freeradius parsed our policy.d/user-filter
unlang generated (output culled from "freeradius -fxx -l stdout"):
(7) ? if (control:ldap-psec-Ldap-Group == "Professors")
(7) Searching for user in group "Professors"
rlm_ldap (ldap-psec): Opening additional connection (7)
<<details omitted>>
(7) ? if (control:ldap-psec-Ldap-Group == "Professors") -> TRUE
Now I never see "Searching for user in group", but rather simply:
(8) ? if (control:ldap-psec-Ldap-Group == "Professors")
(8) ? if (control:ldap-psec-Ldap-Group == "Professors") -> FALSE
Running under gdb, a breakpoint set on rlm_ldap_groupcmp is never hit.
Any ideas?
Kevin Wasserman
Painless Security, LLC
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
More information about the Freeradius-Devel
mailing list