[PATCH] ldap: fix documented syntax for doing group-membership-checks

Jason Long jlong at messiah.edu
Mon Aug 18 19:00:08 CEST 2008


When I upgraded from 1.1.7 to 2.0.5, my group-checking rules stopped
working. By running FreeRadius in debug mode, I noticed that the
filters it was constructing to do the group-membership check were
incorrect.

My configuration had this (in modules/ldap):

    groupmembership_filter = "(&(objectClass=groupOfNames)(member=%{Ldap-UserDn}))"

But the debug output had this:

  expand: (&(objectClass=groupOfNames)(member=%{Ldap-UserDn}))
       -> (&(objectClass=groupOfNames)(member=))

Apparently, in this version, the syntax of %{Ldap-UserDn} should now
be %{control:Ldap-UserDn}. Thanks to Alan DeKok for letting me know.
I have verified that this worked.

The attached patch updates the documentation to show the correct
syntax, and fixes the default value in rlm_ldap.c.
---

 doc/rlm_ldap                    |    4 ++--
 raddb/modules/ldap              |    2 +-
 src/modules/rlm_ldap/rlm_ldap.c |    2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)


diff --git a/doc/rlm_ldap b/doc/rlm_ldap
index 32f7e8e..56467b6 100644
--- a/doc/rlm_ldap
+++ b/doc/rlm_ldap
@@ -232,9 +232,9 @@ the rlm_ldap module:
 #	groupmembership_filter: The filter to search for group membership of a
 #	particular user after we have found the DN for the group.
 #
-#	default: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
+#	default: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
 #
-#	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"	
+#	groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"	
 
 
 #	groupmembership_attribute: The attribute in the user entry that states
diff --git a/raddb/modules/ldap b/raddb/modules/ldap
index 1f0ff88..a330214 100644
--- a/raddb/modules/ldap
+++ b/raddb/modules/ldap
@@ -126,7 +126,7 @@ ldap {
 	#  Group membership checking.  Disabled by default.
 	#
 	# groupname_attribute = cn
-	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
+	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
 	# groupmembership_attribute = radiusGroupName
 
 	# compare_check_items = yes
diff --git a/src/modules/rlm_ldap/rlm_ldap.c b/src/modules/rlm_ldap/rlm_ldap.c
index b127417..bb2be91 100644
--- a/src/modules/rlm_ldap/rlm_ldap.c
+++ b/src/modules/rlm_ldap/rlm_ldap.c
@@ -280,7 +280,7 @@ static const CONF_PARSER module_config[] = {
 	{"groupname_attribute", PW_TYPE_STRING_PTR,
 	 offsetof(ldap_instance,groupname_attr), NULL, "cn"},
 	{"groupmembership_filter", PW_TYPE_STRING_PTR,
-	 offsetof(ldap_instance,groupmemb_filt), NULL, "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"},
+	 offsetof(ldap_instance,groupmemb_filt), NULL, "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"},
 	{"groupmembership_attribute", PW_TYPE_STRING_PTR,
 	 offsetof(ldap_instance,groupmemb_attr), NULL, NULL},
 




More information about the Freeradius-Users mailing list