redundant LDAP-Group
Phil Mayers
p.mayers at imperial.ac.uk
Thu Dec 2 13:52:29 CET 2010
On 02/12/10 11:54, Alexander Clouter wrote:
> It would be really nice to fold those duplicate LDAP-Group lines into
> 'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
> ----
> /etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string "it-switch-admin" for attribute name "ldap_login-LDAP-Group"
> Errors reading /etc/freeradius/LOCAL/users-login
AFAICT this doesn't really work because of the way the attributes
comparisons are actually handled.
You probably know this, but: Basically when a copy of the "ldap" module
is instantiated, it registers a "paircompare" handler for the global
"LDAP-Group", then if the module is named:
1. Registers a new attribute "modname-LDAP-Group"
2. Registers a "paircompare" handler for that attribute
The "redundant" construct has no way to know about this; the "ldap"
module(s) are instantiated (and the attribute/comparisons registered)
completely separately from the redundant{} processing.
Similar problems hold for the %{modname:} xlat stuff; modules can
potentially register any xlat they like, and the modgroup code doesn't
know about that.
In addition, the "paircompare" handlers currently don't return an error
status; they just return an integer, 0 meaning "equality", so a
redundant paircompare would have no way of distinguishing a "LDAP OK,
user not in group" from "LDAP down, try next module", and would end up
querying both LDAP modules much of the time.
More information about the Freeradius-Users
mailing list