ldap group membership issue in 3.0.4 RC1

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jun 25 21:10:14 CEST 2014


On 25 Jun 2014, at 18:17, Kevin Wasserman <krwasserman at painless-security.com> wrote:

> Hello,
> 
> In testing our merge of 3.0.4 RC1 it seems that rlm_ldap_groupcmp() is no longer invoked to check group membership when evaluating unlang conditionals and instead always returns FALSE.
> 
> Previously, in 3.0.1, when freeradius parsed our policy.d/user-filter unlang generated (output culled from "freeradius -fxx -l stdout"):
> 
> (7)       ? if (control:ldap-psec-Ldap-Group == "Professors")
> (7) Searching for user in group "Professors"
> rlm_ldap (ldap-psec): Opening additional connection (7)
> <<details omitted>>
> (7)       ? if (control:ldap-psec-Ldap-Group == "Professors")  -> TRUE
> 
> Now I never see "Searching for user in group", but rather simply:
> (8)       ? if (control:ldap-psec-Ldap-Group == "Professors")
> (8)       ? if (control:ldap-psec-Ldap-Group == "Professors")  -> FALSE
> 
> Running under gdb, a breakpoint set on rlm_ldap_groupcmp is never hit.
> 

Works fine without the instance name. I'm guessing it's some of the pass2
stuff Alan did in v3.0.x.

Please post an issue on http://bugs.freeradius.org

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20140625/1609f5d6/attachment.pgp>


More information about the Freeradius-Devel mailing list