rlm_ldap & access_attr

Fred fred.maison at gmail.com
Thu Sep 29 16:50:19 CEST 2011


Hi all,
After some more reading of rlm_ldap code, I saw that a static
comparison is made with "FALSE" to detect disabled access, which is
fairly limitative ...

Here is a rlm_ldap small patch I have tested with 2.1.12pre, which
allow to configure arbitrary deny value for access_attr.
Config parameter exposed in ${config}/modules/ldap is access_attr_deny_value.
default value is "FALSE" as before, so if access_attr is dialupAccess
&& dialupAccess == "FALSE" in the ldap database, user is rejected.

This is usefull for example to use inetUserStatus as access_attr,
because common values for this attributes are [active|inactive]

ldap module sample config :
access_attr = inetUserStatus
access_attr_deny_value = "inactive"
access_attr_used_for_allow = yes

I don't think Alan will accept to commit this change for 2.1.12 one
day before it's out, but let's try !

#######################################
	
        char           *access_attr;
	char		*access_attr_deny_value;
	char           *passwd_hdr;
.....
	 *	Access limitations
	 */
	/* LDAP attribute name that controls remote access */
	{"access_attr", PW_TYPE_STRING_PTR,
	 offsetof(ldap_instance,access_attr), NULL, NULL},
	{"access_attr_used_for_allow", PW_TYPE_BOOLEAN,
	 offsetof(ldap_instance,default_allow), NULL, "yes"},
	{"access_attr_deny_value", PW_TYPE_STRING_PTR,
	 offsetof(ldap_instance,access_attr_deny_value), NULL, "FALSE"},
	{"chase_referrals", PW_TYPE_BOOLEAN,
	 offsetof(ldap_instance,chase_referrals), NULL, NULL},
	{"rebind", PW_TYPE_BOOLEAN,
	 offsetof(ldap_instance,rebind), NULL, NULL},

.....

	/* Remote access is controled by attribute of the user object */
	if (inst->access_attr) {
		if ((vals = ldap_get_values(conn->ld, msg, inst->access_attr)) != NULL) {
			if (inst->default_allow){
				RDEBUG("checking if remote access for %s is allowed by %s",
request->username->vp_strvalue, inst->access_attr);
				if (!strncmp(vals[0], inst->access_attr_deny_value,
sizeof(inst->access_attr_deny_value))) {
					RDEBUG("dialup access disabled");
.....
######################

Best regards,
Fred

2011/9/23 Fred <fred.maison at gmail.com>:
> Hi all,
>
> I am using FR 2.1.11 and I try to implement  access_attr &
> access_attr_used_for_allow with rlm_ldap.
> modules/ldap.conf :
> ....
> access_attr = inetUserStatus
> access_attr_used_for_allow    = yes
> compare_check_items = no
> do_xlat = yes
> set_auth_type = yes
> ...
>
> Inside our  OpenLDAP, the attribute is inetUserStatus, whose value can
> be(active/inactive).
> According to rlm_ldap docs, this should be a boolean (yes/no/TRUE/FALSE).
> At the moment, access is granted if inetUserStatus is set to active as well
> as if inetUserStatus is set to inactive, I suppose  because FR does not
> interpred those values as TRUE/yes or FALSE/no ..
>
> As I cannot act on ldap server side, (many other applications already uses
> this attribute value pair) Is there any way to have this working on
> freeradius side  ?
> Is it necessary to ldap.attrmap this attribute to use this feature ?
> Could I (for example) update the attribute recovered from ldap during author
> and change inactive to FALSE or active to TRUE ?
>
> debug extract :
> Fri Sep 23 12:54:05 2011 : Info: [ldap] performing user authorization for
> user_sps
> Fri Sep 23 12:54:05 2011 : Info: [ldap]         expand:
> %{Stripped-User-Name} ->
> Fri Sep 23 12:54:05 2011 : Info: [ldap]         ... expanding second
> conditional
> Fri Sep 23 12:54:05 2011 : Info: [ldap]         expand: %{User-Name} ->
> user_sps
> Fri Sep 23 12:54:05 2011 : Info: [ldap]         expand:
> (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=user_sps)
> Fri Sep 23 12:54:05 2011 : Info: [ldap]         expand:
> dc=corp,dc=toto,dc=com -> dc=corp,dc=toto,dc=com
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] ldap_get_conn: Got Id: 0
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] attempting LDAP reconnection
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] (re)connect to 10.49.64.25:389,
> authentication 0
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] bind as
> cn=syncuser,dc=toto,dc=com/L?JHLjvk to 10.49.64.25:389
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] waiting for bind result ...
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] Bind was successful
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] performing search in
> dc=corp,dc=toto,dc=com, with filter (uid=user_sps)
> Fri Sep 23 12:54:05 2011 : Info: [ldap] checking if remote access for
> user_sps is allowed by inetUserStatus
> Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for check items in
> directory...
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] userPassword ->
> Password-With-Header == "{SSHA}SnrchnIFWrKzn+nOzZem4YjMjRqHiavi"
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] ntPassword -> NT-Password ==
> 0x7305108b06d9839d8530b917307803e9
> Fri Sep 23 12:54:05 2011 : Info: [ldap] looking for reply items in
> directory...
> Fri Sep 23 12:54:05 2011 : Info: [ldap] Setting Auth-Type = LDAP
> Fri Sep 23 12:54:05 2011 : Info: [ldap] user user_sps authorized to use
> remote access
> Fri Sep 23 12:54:05 2011 : Debug:   [ldap] ldap_release_conn: Release Id: 0
> Fri Sep 23 12:54:05 2011 : Info: ++[ldap] returns ok
> Fri Sep 23 12:54:05 2011 : Info: [files] users: Matched entry user_sps at
> line 1
> Fri Sep 23 12:54:05 2011 : Info: ++[files] returns ok
>
>
> Best regards,
>
> Fred MAISON
>




More information about the Freeradius-Users mailing list