rlm_ldap patch for access_attr_deny_value

Fred fred.maison at gmail.com
Mon Oct 3 12:50:15 CEST 2011


Please note :

As I am not a C developper, I just "mimics" what is already done in
rlm_ldap.c to create this patch, which only checks agains "FALSE"
value.
So, this patch is not sufficient to manage multiple possible values :

For example, inetUserStatus has
- 2 possible REJECT values :
* inactive
* deleted
- 1 possible ACCEPT value
* active

I am not able to create the patch to support checking on multiple
custom reject values
For example : support access_attr_deny_value as a list with
space-separated values to check :
access_attr_deny_value  = "inactive deleted"
or as a list with | separated value :
access_attr_deny_value = "inactive|deleted"

Best regards,
Fred Maison

2011/10/3 Fred <fred.maison at gmail.com>:
> Hi all,
>
> This patch is an attempt to have a more generic custom access_attr
> support, by introducing a new ldap module configuration parameter
> named "access_attr_deny_value" allowing to check arbitrary access_attr
> attribute  value to reject user.
>
> Without this patch, configured access_attr attribute is checked
> against a static,(hard-coded) "FALSE" value.
> With this patch, rlm_ldap module user can configure not only custom
> access_attr attribute, but also custom access_attr_deny_value value to
> control user lock status.
> Default value remains FALSE, to maintain backward compatibility.
>
> This patch has been made because if, for example,  inetUserStatus is
> used at ldap server level to control lock user status, this control is
> done by ldap server when user tries to bind to the ldap.
> From freeradius point of view, if ldap bind is not done for any reason
> (e.I. because radiusd received a MSCHAP challenge, and just replayed
> MSCHAP using ntPassword or lmPassword retrieved during author) , ldap
> server will not have occation to reject the user at binding, so
> radiusd has to do the job himself for inetUserStatus to be honored.
> If radiusd does not do the job, only ldap-binded user will be rejected
> (by ldap) but non-binded user will be accepted, thus making ldap
> settings disabling the user with inetUserStatus set to "inactive" will
> not be honored at radius level and user will be unexpectedly accepted.
>
>
> For example,
> ${confdir}/modules/ldap :
> access_attr                   = inetUserStatus                  # OID
> 2.16.840.1.113730.3.1.692
> access_attr_deny_value = "inactive"
>
> With this setup, if inetUSerStatus is set to inactive in ldap
> directory for a particular user, this user will be rejected early
> during authorization.
>
> Best regards,
> Fred MAISON
>
> ###############################################
>
> diff -u ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c
> ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c
> --- ./src/freeradius-server/src/modules/rlm_ldap/rlm_ldap.c     2011-09-20
> 14:11:34.000000000 +0200
> +++ ./Documents/Radius/Freeradius/freeradius-server-2.1.12/src/modules/rlm_ldap/rlm_ldap.c      2011-09-29
> 17:39:32.000000000 +0200
> @@ -146,6 +146,7 @@
>        char           *default_profile;
>        char           *profile_attr;
>        char           *access_attr;
> +       char            *access_attr_deny_value;
>        char           *passwd_hdr;
>        char           *passwd_attr;
>        int             auto_header;
> @@ -304,6 +305,8 @@
>         offsetof(ldap_instance,access_attr), NULL, NULL},
>        {"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
>         offsetof(ldap_instance,default_allow), NULL, "yes"},
> +       {"access_attr_deny_value", PW_TYPE_STRING_PTR,
> +        offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"},
>        {"chase_referrals", PW_TYPE_BOOLEAN,
>         offsetof(ldap_instance,chase_referrals), NULL, NULL},
>        {"rebind", PW_TYPE_BOOLEAN,
> @@ -1405,8 +1408,8 @@
>        if (inst->access_attr) {
>                if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) {
>                        if (inst->default_allow){
> -                               RDEBUG("checking if remote access for %s is allowed by %s",
> request->username->vp_strvalue, inst->access_attr);
> -                               if (!strncmp(vals[0], "FALSE", 5)) {
> +                               RDEBUG("checking if remote access for user %s is %s by %s",
> request->username->vp_strvalue, inst->access_attr_deny_value,
> inst->access_attr);
> +                               if (!strncmp(vals[0], inst->access_attr_deny_value,
> sizeof(inst->access_attr_deny_value))) {
>                                        RDEBUG("dialup access disabled");
>                                        snprintf(module_fmsg,sizeof(module_fmsg),"  [%s] Access
> Attribute denies access", inst->xlat_name);
>                                        module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
>
>
> ###############################################
>




More information about the Freeradius-Users mailing list